70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68

Analysis

max time kernel
70s
max time network
66s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 12:40

Target

70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68.dll
Size

444KB
MD5

7f2cae91b2a5498d73e078e0bdc97e6b
SHA1

7e0cd7d320a531a11ec6692782ab30bfb32fe450
SHA256

70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68
SHA512

9fc62025306e712c48f6364b4fc0c8cffd3ad03d7d21c836d93414ac9ee5a4b21537a9ebd2ce8a19a6a5f3792fff4befbde95245cbb8209ec8dd19e502e94115
SSDEEP

12288:41d9zQT5bxxfRZSLT1vmlRpR/qBRF85K:4HJQxxxJslm1lqfF85

Score

8^/10

evasion

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

3 1096 rundll32.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2036 netsh.exe

flow	pid	process
3	1096	rundll32.exe

pid	process
2036	netsh.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1208 wrote to memory of 1096	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1096	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1096	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1096	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1096	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1096	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1096	1208	rundll32.exe	rundll32.exe
PID 1096 wrote to memory of 2036	1096	rundll32.exe	netsh.exe
PID 1096 wrote to memory of 2036	1096	rundll32.exe	netsh.exe
PID 1096 wrote to memory of 2036	1096	rundll32.exe	netsh.exe
PID 1096 wrote to memory of 2036	1096	rundll32.exe	netsh.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70278d64e623290ce4e6a5583dd7d0bb2edeae469d2a08c9b89d0985dde8ed68.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:2036

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1096-54-0x0000000000000000-mapping.dmp

Download
memory/1096-55-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download