73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:39

Target

73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25.dll
Size

22KB
MD5

a211868cba3b44f58d31da83f12e33f0
SHA1

b676ff2c2a0a7f7666f5199bf76ee5fc85413f42
SHA256

73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25
SHA512

2b87c345c2f61ce6149b2aa09bf42b8ebbf66ce5d7b08160b7cb980e20a89626838c9814136ec49348aa68563d57c1d72c90a95728e72750fd2129dc64829e80
SSDEEP

384:EMm/vjh9z+dY18nQy/inBapTU7UjVfXMYLOqIySSqj5Ut1oVr4qKB:EQYFy/0aFUgOYquAc1oa

Score

8^/10

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hosts	rundll32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = ".www-306.ibm.com www-306.ibm.comPLUGINS\\webcheck.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "PLUGINS\\webcheck.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 920	3696	rundll32.exe	79
PID 3696 wrote to memory of 920	3696	rundll32.exe	79
PID 3696 wrote to memory of 920	3696	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\73210d4355b57bc8bdd7557bda30d16a540db0d7a8ac55677dd87cce7db60c25.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:920

memory/920-133-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/920-134-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download