a42c161140468b018c506d708059333c2aceaf293276db60479b661b68402983

Analysis

max time kernel
69s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 04:05

Target

a42c161140468b018c506d708059333c2aceaf293276db60479b661b68402983.dll
Size

1.6MB
MD5

8ac0908885c48b78d255cfa972f07764
SHA1

1e41ba34f0da4435e7a0b1896a0278575dabe46b
SHA256

a42c161140468b018c506d708059333c2aceaf293276db60479b661b68402983
SHA512

6a1709c6f385ae43d486680350ce19a83872e70425aafa73b538c58b00ca24d31cbf1feec44a1d3871daae68663485f7aaa99b0b722e9404f53dc9da5bd0a7ac
SSDEEP

3072:jV8z8CO+9hfV2qwVhPrrqSK3DGRmauhEu7szCvQAZwtNsu7AxSJbRlLZlQCcfvG9:jS44f0Zq13DauhJMCvLZSNsu8xEHLfm

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1912	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dologa.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\dologa.dll	rundll32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1912	1116	rundll32.exe	28
PID 1116 wrote to memory of 1912	1116	rundll32.exe	28
PID 1116 wrote to memory of 1912	1116	rundll32.exe	28
PID 1116 wrote to memory of 1912	1116	rundll32.exe	28
PID 1116 wrote to memory of 1912	1116	rundll32.exe	28
PID 1116 wrote to memory of 1912	1116	rundll32.exe	28
PID 1116 wrote to memory of 1912	1116	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a42c161140468b018c506d708059333c2aceaf293276db60479b661b68402983.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a42c161140468b018c506d708059333c2aceaf293276db60479b661b68402983.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:1912

\Windows\SysWOW64\dologa.dll

Filesize
3.3MB

MD5
3f39f64ac549c71e4a74fe86a1f4df6d

SHA1
5a2d9e40852dc4500c37bd0740ba3d5f3bc93b05

SHA256
2c5e78773d202ca3f9a35a54d098a4f8470bc62f99d78e0b0c4089516959fd0e

SHA512
4ac4f4cf1121d972748737385094bb3d62940609c635526c9f5fa8bee9d02456c5027f8d096e32aa3bee6265af13953ef2fa64c01b92abd90c321095d5d87d6f

Download Submit
memory/1912-55-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1912-57-0x0000000000440000-0x0000000000498000-memory.dmp

Filesize
352KB

Download
memory/1912-64-0x00000000000C0000-0x00000000000C7000-memory.dmp

Filesize
28KB

Download
memory/1912-69-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/1912-71-0x00000000005F0000-0x0000000000648000-memory.dmp

Filesize
352KB

Download
memory/1912-78-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download