856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c

General

Target

856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
Size

3.3MB
MD5

b675b8efe6f1a208314ce2d44ef8a677
SHA1

840db3de907bd8ab5f6cad8fc2668b1a534fd56f
SHA256

856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c
SHA512

74b68197cedcb52802b6cf0e2b8333b6082e0fd1cf339b8219a7ea0d9c993edd3755d6eaca2f71856bc65da238b58ea3a867cddc149b388626fba2987194a1b5
SSDEEP

49152:fH6teOGBaqYC0qfqx64BfP1OdUm7oLLHXJxnoG7EbQJZf8q1ZFQ21p4AjS9IqHTF:fHDFYnIV4pNLzvoWQs8q1gop4AjwHTX

Score

8^/10

discovery persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 5 IoCs

Processes:

856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exerundll32.exerundll32.exe

pid process

2108 856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
2200 rundll32.exe
4284 rundll32.exe
4284 rundll32.exe
4284 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

Processes:

856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe

description	ioc	process
File created	C:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\c5705860 = "Vx////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\0dc3ee96 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\3c09c42b = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\f1f24e29 = "Vl/l/C/////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\1c311243 = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\340d3099 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\6185d035 = "Vx/2/Cx/V//l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\c6c5dd44 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\2e22d94e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\7f69fa1f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\414bc593 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\a0743acc = "N/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\c99a5f5c = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\d1abcdb6 = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\00000000\493c7345 = 6d0030003100650030003700380030006d00550031002b0030003700380030006d00550031002b00300036003400300061006c0031004400300036004900300070006c00310054003000300025002500000070006c00310044003000360049003000710078003100590030003600450030007100550031002b0030003600340030006e006c003000530030003600620030006e00550031005a00300030002500250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\e46c271e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\587b5709 = "V/////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b003000320045003000610055003100670030003600450030006e006c0031004f0030003600740030006a00300031004f00300036004f0030006d0055003100670030003200490030006f0078003100530030003600710030006e0055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100670030003600450030006e006c0031004f0030003600740030006a00300031004f00300036004f0030006d0055003100670030003200490030006f007800310053003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100590030003600450030006d006c003100680030003600340030006d006c0031004f0030003700380030007000780031004e0030003600450030006900780031004d0030003600620030007000780031004e0030003200490030006f0078003100530030003600710030006e0055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100590030003600450030006d006c003100680030003600340030006d006c0031004f0030003700380030007000780031004e0030003600450030006900780031004d0030003600620030007000780031004e0030003200490030006f007800310053003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100680030003600680030006d006c0031002b003000360062003000690030003100550030003600340030006d006c0031004e0030003600740030006d006c003000530030003600680030006e006c003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100680030003600680030006d006c0031002b003000360062003000690030003100550030003600340030006d006c0031004e0030003600740030006d006c003000530030003600680030006e006c00310041003000360045003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100410030003600680030006e006c0031002b00300036007800300071006c003100440030003700780030006d0030003100540030003700620030006f00780031004f0030003600680030006e0055003100530030003200490030006f007800310053003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100440030003600490030006d00550031004f0030003600340030006e006c003100670030003600740030006900550031004d0030003600340030006d0030003000530030003600490030007000780031004f003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100670030003600450030006e006c0031004f0030003600740030006a00300031004f0030003600550030006f00780031004e00300037007800300061006c0031004400300036004900300070006c00310054003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100670030003600450030006e006c0031004f0030003600740030006a00300031004f0030003600550030006f00780031004e00300037007800300061006c00310053003000360074003000690030003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\f6ad6fa6 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\2d71d5ab = "V/////%%"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\iiid = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\65114b36 = "VP/l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\bbf88800 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\8b9e4cbc = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\72758a5d = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\a1dcff5b = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\00000000\370856c7 = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\fe94ce1e = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\0c230bcb = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\0e93c3f3 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\48bd1aff = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\27ddcf6f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\51d2f2ea = "RPAj/XV/a/A+/XP/GPAX/X6/alAz/XD/bx////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\7367429f = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\1520c6f1 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\d94388d2 = "GxAp/X2/FPAm/X6/FlAu/XD/ax/j/Xt/axAv/X6////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\a2e3b941 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\c24899a6 = "VP/g/CV/Vl/2/Cx////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\f0bf0bde = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\00000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\00000000\3efeb33e = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_25efdc5a\eae10f9d\060df2cd = "GlAu/YP/c/Au/YZ/GxAp/YZ/GP/j/Xt/axAv/X6////%"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exerundll32.exe

pid	process
2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
4284	rundll32.exe
4284	rundll32.exe
4284	rundll32.exe
4284	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exerundll32.exe

description	pid	process	target process
PID 2108 wrote to memory of 2200	2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe	rundll32.exe
PID 2108 wrote to memory of 2200	2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe	rundll32.exe
PID 2108 wrote to memory of 2200	2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe	rundll32.exe
PID 4492 wrote to memory of 4284	4492	rundll32.exe	rundll32.exe
PID 4492 wrote to memory of 4284	4492	rundll32.exe	rundll32.exe
PID 4492 wrote to memory of 4284	4492	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
"C:\Users\Admin\AppData\Local\Temp\856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll",serv -install
2⤵
- Loads dropped DLL
PID:2200

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll",serv
1⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll",serv
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll
Filesize
2.1MB

MD5
c53d6a2642221c6452eb5af211b23df7

SHA1
925603c7b4d8b11c9d8177136620be400151b8ac

SHA256
e2cb07fd4f3164e8d8af43587b0c0f24bf45397dfab6edf2b8d541b57b95be60

SHA512
31b17195e70fd5311408e004b2e15b7ea3ba56b192878533e36ac34ccf4b32754fce117fe5c62742656053ac8ab79696020501105fd6605c8a234e274b35fbb8

Download Submit
C:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll
Filesize
2.1MB

MD5
c53d6a2642221c6452eb5af211b23df7

SHA1
925603c7b4d8b11c9d8177136620be400151b8ac

SHA256
e2cb07fd4f3164e8d8af43587b0c0f24bf45397dfab6edf2b8d541b57b95be60

SHA512
31b17195e70fd5311408e004b2e15b7ea3ba56b192878533e36ac34ccf4b32754fce117fe5c62742656053ac8ab79696020501105fd6605c8a234e274b35fbb8

Download Submit
C:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll
Filesize
2.1MB

MD5
c53d6a2642221c6452eb5af211b23df7

SHA1
925603c7b4d8b11c9d8177136620be400151b8ac

SHA256
e2cb07fd4f3164e8d8af43587b0c0f24bf45397dfab6edf2b8d541b57b95be60

SHA512
31b17195e70fd5311408e004b2e15b7ea3ba56b192878533e36ac34ccf4b32754fce117fe5c62742656053ac8ab79696020501105fd6605c8a234e274b35fbb8

Download Submit
C:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll
Filesize
2.1MB

MD5
c53d6a2642221c6452eb5af211b23df7

SHA1
925603c7b4d8b11c9d8177136620be400151b8ac

SHA256
e2cb07fd4f3164e8d8af43587b0c0f24bf45397dfab6edf2b8d541b57b95be60

SHA512
31b17195e70fd5311408e004b2e15b7ea3ba56b192878533e36ac34ccf4b32754fce117fe5c62742656053ac8ab79696020501105fd6605c8a234e274b35fbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tf5e3b40de.dll
Filesize
2.1MB

MD5
c53d6a2642221c6452eb5af211b23df7

SHA1
925603c7b4d8b11c9d8177136620be400151b8ac

SHA256
e2cb07fd4f3164e8d8af43587b0c0f24bf45397dfab6edf2b8d541b57b95be60

SHA512
31b17195e70fd5311408e004b2e15b7ea3ba56b192878533e36ac34ccf4b32754fce117fe5c62742656053ac8ab79696020501105fd6605c8a234e274b35fbb8

Download Submit
\??\c:\Program Files (x86)\IncludeFoobar\IncludeFoobar.dll
Filesize
2.1MB

MD5
c53d6a2642221c6452eb5af211b23df7

SHA1
925603c7b4d8b11c9d8177136620be400151b8ac

SHA256
e2cb07fd4f3164e8d8af43587b0c0f24bf45397dfab6edf2b8d541b57b95be60

SHA512
31b17195e70fd5311408e004b2e15b7ea3ba56b192878533e36ac34ccf4b32754fce117fe5c62742656053ac8ab79696020501105fd6605c8a234e274b35fbb8

Download Submit
memory/2108-132-0x000000007EC10000-0x000000007EF54000-memory.dmp

Filesize
3.3MB

Download
memory/2108-138-0x000000007E760000-0x000000007EAB8000-memory.dmp

Filesize
3.3MB

Download
memory/2200-143-0x0000000000000000-mapping.dmp

Download
memory/2200-146-0x000000007F380000-0x000000007F6D8000-memory.dmp

Filesize
3.3MB

Download
memory/4284-151-0x0000000000000000-mapping.dmp

Download
memory/4284-153-0x000000007EE40000-0x000000007F198000-memory.dmp

Filesize
3.3MB

Download

pid	process
2108	856f36aff6f7267ca34d64a6bbf468d79f0f51a3cd0b3db34141a544bc28fe8c.exe
2200	rundll32.exe
4284	rundll32.exe
4284	rundll32.exe
4284	rundll32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads