a4d665a28e166dd89e353b39d3530548f5becdc239566a618574699f8e577a08

Analysis

max time kernel
164s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 15:20

Target

a4d665a28e166dd89e353b39d3530548f5becdc239566a618574699f8e577a08.dll
Size

256KB
MD5

e80880c6a8ed62a9a81251505303ffdc
SHA1

9bc71c2fe9ff8a54ead96e2863a7f38622760147
SHA256

a4d665a28e166dd89e353b39d3530548f5becdc239566a618574699f8e577a08
SHA512

32c70c4b5813e091f588afb16a6cda18cb2f66eeeaf07a0cad928b46adbfd8debf4c20274d2a49622c3e839d8eabc5b8bba7b5ad7edea266fc51d02178bc6a8b
SSDEEP

3072:wXp9dgNaMLffnE88Xxl+aoGSOEgarYFQ9ZnqoT8ObxbUSCpRor7lI+Lo7YK:wZOXEtH+GSOEgeYe9lXT8pvPoHlzLM

Score

8^/10

discovery upx

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1844-136-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1844-137-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1844-138-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-139-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-140-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-141-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\B0F21A89.cpp	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1844	rundll32.exe
1844	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 1844	4272	rundll32.exe	81
PID 4272 wrote to memory of 1844	4272	rundll32.exe	81
PID 4272 wrote to memory of 1844	4272	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4d665a28e166dd89e353b39d3530548f5becdc239566a618574699f8e577a08.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4d665a28e166dd89e353b39d3530548f5becdc239566a618574699f8e577a08.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1844

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1844-133-0x0000000000000000-mapping.dmp

Download
memory/1844-136-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1844-137-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1844-138-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-139-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-140-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-141-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download