Analysis
-
max time kernel
49s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll
Resource
win10v2004-20220812-en
General
-
Target
84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll
-
Size
1.9MB
-
MD5
d25883bfad9f43005d89ae19790ca987
-
SHA1
d721bfbbc4396813d87e7f61f5cfcc203595c1a7
-
SHA256
84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e
-
SHA512
525ae2abc1859791e01452a5753ccd36c1929de1e3c2574bcb9abdf46204ce1c6524c803bb986c17dce1e9a62b141f7e77d5c2b2dd9811c88f6e32dcb9e0a348
-
SSDEEP
6144:aaBEpPnIVKd48VABFpiW5ae66WG0FX4K2uQ4YzCx+By7:alpPnIES8VAcW5aer0Fol3WT
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\TMP provider = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\TMPprovider01C.dll, RunDllEntry" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1172 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1760 wrote to memory of 1172 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 1172 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 1172 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 1172 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 1172 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 1172 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 1172 1760 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1296 1172 rundll32.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1296
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll,#13⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172