8995ffa8579bb1f063e8d91cd18554bef4091ccde1f2e97c8a6b0308ee4088ef

Analysis

max time kernel
162s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 01:25

Target

8995ffa8579bb1f063e8d91cd18554bef4091ccde1f2e97c8a6b0308ee4088ef.dll
Size

16KB
MD5

8e42e25275ea66093d24ea97b6cdab80
SHA1

8f3ba8413f3433b9cdc65349401b3bd165a33c75
SHA256

8995ffa8579bb1f063e8d91cd18554bef4091ccde1f2e97c8a6b0308ee4088ef
SHA512

224556ff49a37ca942e65f1897851dc16129aae6eccc248b8ba5b8e176be7ad893b38693b0c9f6965f055df0cf1212ed758532a1aac99c713534861eeb195814
SSDEEP

384:9bx9prGsDy7N3EGbp/D4yVDgYSEmLsnpBg:j9p5Dy7N3TbD/SIBg

Score

8^/10

persistence

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CB4369B6-F362-4e68-8786-0895D86C9D7A}\InProcServer32\ = "8995ffa8579bb1f063e8d91cd18554bef4091ccde1f2e97c8a6b0308ee4088ef.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CB4369B6-F362-4e68-8786-0895D86C9D7A}\InProcServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CB4369B6-F362-4e68-8786-0895D86C9D7A}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CB4369B6-F362-4e68-8786-0895D86C9D7A}\InProcServer32	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1296	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	rundll32.exe
Token: SeShutdownPrivilege	1296	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 532	2044	rundll32.exe	28
PID 2044 wrote to memory of 532	2044	rundll32.exe	28
PID 2044 wrote to memory of 532	2044	rundll32.exe	28
PID 2044 wrote to memory of 532	2044	rundll32.exe	28
PID 2044 wrote to memory of 532	2044	rundll32.exe	28
PID 2044 wrote to memory of 532	2044	rundll32.exe	28
PID 2044 wrote to memory of 532	2044	rundll32.exe	28
PID 532 wrote to memory of 1296	532	rundll32.exe	16

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/532-55-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download