73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25

Analysis

max time kernel
14s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 09:39

Target

73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25.dll
Size

22KB
MD5

a211868cba3b44f58d31da83f12e33f0
SHA1

b676ff2c2a0a7f7666f5199bf76ee5fc85413f42
SHA256

73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25
SHA512

2b87c345c2f61ce6149b2aa09bf42b8ebbf66ce5d7b08160b7cb980e20a89626838c9814136ec49348aa68563d57c1d72c90a95728e72750fd2129dc64829e80
SSDEEP

384:EMm/vjh9z+dY18nQy/inBapTU7UjVfXMYLOqIySSqj5Ut1oVr4qKB:EQYFy/0aFUgOYquAc1oa

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hosts	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = ".www-306.ibm.com www-306.ibm.comPLUGINS\\webcheck.dll"	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1400	1380	rundll32.exe	28
PID 1380 wrote to memory of 1400	1380	rundll32.exe	28
PID 1380 wrote to memory of 1400	1380	rundll32.exe	28
PID 1380 wrote to memory of 1400	1380	rundll32.exe	28
PID 1380 wrote to memory of 1400	1380	rundll32.exe	28
PID 1380 wrote to memory of 1400	1380	rundll32.exe	28
PID 1380 wrote to memory of 1400	1380	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Modifies registry class
  PID:1400

memory/1400-54-0x0000000000000000-mapping.dmp

Download
memory/1400-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1400-56-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download