e94dcdde5ec759125ef2932ade99cacefc590cbe8d42b9262df31aaf21db33e2

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 16:28

Target

e94dcdde5ec759125ef2932ade99cacefc590cbe8d42b9262df31aaf21db33e2.dll
Size

79KB
MD5

26b9b1d4bbe411572c49ebdcfca082d1
SHA1

9b0b88539da1d56304eba89d718521a20a2e5166
SHA256

e94dcdde5ec759125ef2932ade99cacefc590cbe8d42b9262df31aaf21db33e2
SHA512

d20c4a0787cebd287f6ea3a9d5badb4f4f50ad9886d998a3efa0d9924cf10a8bf5ec60866dcbd85e1ddd64f2b316bce141797674d7bb19eaa38754b9eafb00c0
SSDEEP

1536:DiItUuQoMyam0kUysKY2dYGoDxHEiDlwGNDX1Zj1gV1fB7Ql:DvBamLUysK8xHEiDykJqal

Score

8^/10

discovery

Blocklisted process makes network request 8 IoCs

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 7 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1880	1976	rundll32.exe	26
PID 1976 wrote to memory of 1880	1976	rundll32.exe	26
PID 1976 wrote to memory of 1880	1976	rundll32.exe	26
PID 1976 wrote to memory of 1880	1976	rundll32.exe	26
PID 1976 wrote to memory of 1880	1976	rundll32.exe	26
PID 1976 wrote to memory of 1880	1976	rundll32.exe	26
PID 1976 wrote to memory of 1880	1976	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e94dcdde5ec759125ef2932ade99cacefc590cbe8d42b9262df31aaf21db33e2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e94dcdde5ec759125ef2932ade99cacefc590cbe8d42b9262df31aaf21db33e2.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1880

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1880-55-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1880-56-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/1880-57-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1880-58-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/1880-59-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download