Analysis
-
max time kernel
70s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 12:40
Static task
static1
Behavioral task
behavioral1
Sample
70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68.dll
Resource
win10v2004-20220812-en
General
-
Target
70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68.dll
-
Size
444KB
-
MD5
7f2cae91b2a5498d73e078e0bdc97e6b
-
SHA1
7e0cd7d320a531a11ec6692782ab30bfb32fe450
-
SHA256
70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68
-
SHA512
9fc62025306e712c48f6364b4fc0c8cffd3ad03d7d21c836d93414ac9ee5a4b21537a9ebd2ce8a19a6a5f3792fff4befbde95245cbb8209ec8dd19e502e94115
-
SSDEEP
12288:41d9zQT5bxxfRZSLT1vmlRpR/qBRF85K:4HJQxxxJslm1lqfF85
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 3 1096 rundll32.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1208 wrote to memory of 1096 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1096 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1096 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1096 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1096 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1096 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1096 1208 rundll32.exe rundll32.exe PID 1096 wrote to memory of 2036 1096 rundll32.exe netsh.exe PID 1096 wrote to memory of 2036 1096 rundll32.exe netsh.exe PID 1096 wrote to memory of 2036 1096 rundll32.exe netsh.exe PID 1096 wrote to memory of 2036 1096 rundll32.exe netsh.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall