b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0

Analysis

max time kernel
147s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2022, 23:05

Target

b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0.dll
Size

143KB
MD5

0249ebdf07fece7afba8568f90067b80
SHA1

61942488d1fb9669bcc62bedb3e77755f57e969a
SHA256

b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0
SHA512

3c64989fa7529fb601186b4082c0925843b1931c48acbbf063b5316685240250873650a1603bc2511576e36f9d3771801e8c4225a8040464972ed5e8138740e4
SSDEEP

3072:OJQz9KLMrnPZ0gD8ccccccccccccHNT4BZ/PjZqMNuxWGWkd2Co7fJW00n:0QRKcB4cccccccccccctTytvBkd2CyJQ

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1748	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.dll	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	rundll32.exe
2752	rundll32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2752	rundll32.exe
2752	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 2752	4748	rundll32.exe	82
PID 4748 wrote to memory of 2752	4748	rundll32.exe	82
PID 4748 wrote to memory of 2752	4748	rundll32.exe	82
PID 2752 wrote to memory of 1748	2752	rundll32.exe	83
PID 2752 wrote to memory of 1748	2752	rundll32.exe	83
PID 2752 wrote to memory of 1748	2752	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2b580d31335db4543045d80adfb785cf83689795a23ace2dbfbb0828dd70ef0.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1748

C:\Windows\SysWOW64\rundll32.dll

Filesize
60KB

MD5
174d921f1387b534ee96dc294b79fb3f

SHA1
7dad0fd02fa624373fc411c541d9391275c6dba3

SHA256
dc7f1117328a8d68d3904daad34bcbb9675177ba1a507f0da13436874f881324

SHA512
35724d8a4c458854d1cd7ca773abaea2b548aea2cb8b345e1b2eae86fc178b2c17c52e0f4f173fa2419b31337a2e6f090195f23d9587c5dfd1851c7c556d0b4d

Download Submit
memory/1748-142-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/2752-133-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/2752-134-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/2752-136-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/2752-137-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/2752-138-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/2752-143-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download