b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:05

Target

b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0.dll
Size

143KB
MD5

0249ebdf07fece7afba8568f90067b80
SHA1

61942488d1fb9669bcc62bedb3e77755f57e969a
SHA256

b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0
SHA512

3c64989fa7529fb601186b4082c0925843b1931c48acbbf063b5316685240250873650a1603bc2511576e36f9d3771801e8c4225a8040464972ed5e8138740e4
SSDEEP

3072:OJQz9KLMrnPZ0gD8ccccccccccccHNT4BZ/PjZqMNuxWGWkd2Co7fJW00n:0QRKcB4cccccccccccctTytvBkd2CyJQ

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
2020	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.dll	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1128	rundll32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1128	rundll32.exe
1128	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1128	1724	rundll32.exe	27
PID 1724 wrote to memory of 1128	1724	rundll32.exe	27
PID 1724 wrote to memory of 1128	1724	rundll32.exe	27
PID 1724 wrote to memory of 1128	1724	rundll32.exe	27
PID 1724 wrote to memory of 1128	1724	rundll32.exe	27
PID 1724 wrote to memory of 1128	1724	rundll32.exe	27
PID 1724 wrote to memory of 1128	1724	rundll32.exe	27
PID 1128 wrote to memory of 2020	1128	rundll32.exe	28
PID 1128 wrote to memory of 2020	1128	rundll32.exe	28
PID 1128 wrote to memory of 2020	1128	rundll32.exe	28
PID 1128 wrote to memory of 2020	1128	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2020

\Windows\SysWOW64\rundll32.dll

Filesize
43KB

MD5
f1f31c7bdc88d7efcff63dfe6cdf2ad0

SHA1
7b776bebff717b610c400e4b85e758dbc5dbc511

SHA256
9373e9ae157b3b25811efe441105b099047d0adf67426e42202f5d3acc5aa847

SHA512
1c4c8987378d438dc988e2af4e2eadf260ff527824de0402efc6ea21db34629fa949c1464402cc4712e57802eff80661c7b1633aba4ed2cc4b9d1abf154efc9a

Download Submit
memory/1128-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1128-56-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/1128-60-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1128-59-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1128-58-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1128-65-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/2020-64-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download