Analysis
-
max time kernel
150s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll
Resource
win10v2004-20220812-en
General
-
Target
84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll
-
Size
1.9MB
-
MD5
d25883bfad9f43005d89ae19790ca987
-
SHA1
d721bfbbc4396813d87e7f61f5cfcc203595c1a7
-
SHA256
84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e
-
SHA512
525ae2abc1859791e01452a5753ccd36c1929de1e3c2574bcb9abdf46204ce1c6524c803bb986c17dce1e9a62b141f7e77d5c2b2dd9811c88f6e32dcb9e0a348
-
SSDEEP
6144:aaBEpPnIVKd48VABFpiW5ae66WG0FX4K2uQ4YzCx+By7:alpPnIES8VAcW5aer0Fol3WT
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TMP provider = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\TMPprovider01C.dll, RunDllEntry" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4548 rundll32.exe 4548 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4884 wrote to memory of 4548 4884 rundll32.exe rundll32.exe PID 4884 wrote to memory of 4548 4884 rundll32.exe rundll32.exe PID 4884 wrote to memory of 4548 4884 rundll32.exe rundll32.exe PID 4548 wrote to memory of 3060 4548 rundll32.exe Explorer.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84d8b4bfce5db860645a70278bc4a49bf5e6bcb35d9d0e7bea74e873c9c33e2e.dll,#12⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4548-132-0x0000000000000000-mapping.dmp