6b782f6c49067f40b09ba603e598b03ad360f2c728bd3b26a9d925918e467a27

Analysis

max time kernel
236s
max time network
247s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:44

Target

6b782f6c49067f40b09ba603e598b03ad360f2c728bd3b26a9d925918e467a27.dll
Size

140KB
MD5

534766e78761d2f4660d732103333d48
SHA1

63040ffe42b76edcdd45e780345d22198f2f5cb3
SHA256

6b782f6c49067f40b09ba603e598b03ad360f2c728bd3b26a9d925918e467a27
SHA512

053cf3d905f5a586fda9c7480caf26d362d06632590c11876542342bf6eed23c5a1553d9bd809ab621647ea17808def9faeb6672c64ef7c21e1d4e5c246a2b61
SSDEEP

3072:kvJ2Cz8wfnB4oiXH3VwgCy9Y8Xb8Y+o/:azF+8Yn

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1072 wrote to memory of 212	1072	rundll32.exe	rundll32.exe
PID 1072 wrote to memory of 212	1072	rundll32.exe	rundll32.exe
PID 1072 wrote to memory of 212	1072	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b782f6c49067f40b09ba603e598b03ad360f2c728bd3b26a9d925918e467a27.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b782f6c49067f40b09ba603e598b03ad360f2c728bd3b26a9d925918e467a27.dll,#1
2⤵
PID:212

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/212-132-0x0000000000000000-mapping.dmp

Download
memory/212-133-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download