6ee808fa5d05cb5dae9ea7c8b509846a22d3a7c3735b38cd65fba8e55834e72a

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ee808fa5d05cb5dae9ea7c8b509846a22d3a7c3735b38cd65fba8e55834e72a.dll
Size

276KB
MD5

427fb9c282ffb2135b2a57a01d8306d0
SHA1

e00a3cf3ef7a2435f708789c41ba240a375a3326
SHA256

6ee808fa5d05cb5dae9ea7c8b509846a22d3a7c3735b38cd65fba8e55834e72a
SHA512

68bb6f1efba400d5d232436f89537105f9a3194edfb4a4f55a48a1b443bc4d177cc6dff4c179a09c4f5f40d80ce9a9b03ba3430eda6c42c30ae1c1ec9716fce3
SSDEEP

6144:KKral0y9yV0qzI8Yu+tZXtGtliF+sI6Ee+ajd1Zp:Kt+y9Ytzf+tZXcUF+sIVta51Z

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Nraxakucadi = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6ee808fa5d05cb5dae9ea7c8b509846a22d3a7c3735b38cd65fba8e55834e72a.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
656	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
656	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 656	812	rundll32.exe	27
PID 812 wrote to memory of 656	812	rundll32.exe	27
PID 812 wrote to memory of 656	812	rundll32.exe	27
PID 812 wrote to memory of 656	812	rundll32.exe	27
PID 812 wrote to memory of 656	812	rundll32.exe	27
PID 812 wrote to memory of 656	812	rundll32.exe	27
PID 812 wrote to memory of 656	812	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ee808fa5d05cb5dae9ea7c8b509846a22d3a7c3735b38cd65fba8e55834e72a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ee808fa5d05cb5dae9ea7c8b509846a22d3a7c3735b38cd65fba8e55834e72a.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-55-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/656-56-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/656-59-0x0000000000AC1000-0x0000000000AD3000-memory.dmp

Filesize
72KB

Download