f4377e72a87737473ec4a3c19bc93b370023c14b8c4ba379dab8d69787620f32

Analysis

max time kernel
169s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4377e72a87737473ec4a3c19bc93b370023c14b8c4ba379dab8d69787620f32.dll
Size

93KB
MD5

de859272fe7c7b2771a4dbfbcba1cea9
SHA1

9067a389c6f4510c029e55bed4881741124a4581
SHA256

f4377e72a87737473ec4a3c19bc93b370023c14b8c4ba379dab8d69787620f32
SHA512

7e4791df7798fd4044ee9f14b53157a484e7a003e8c6cdec4168ddf6bd8714efcc54b246ebf47f17c822981e36046c9e0dcf3ff66ce8c9a294eb333185dac6ef
SSDEEP

1536:L5BrJ8ttnhs+4wbppFnoyT9JgEcLMlSpIBmIsOt7z952SZmHF:L5tJG9hTfJPcLMlSpIUI30H

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	rundll32.exe
Token: SeDebugPrivilege	2544	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2544	2276	rundll32.exe	82
PID 2276 wrote to memory of 2544	2276	rundll32.exe	82
PID 2276 wrote to memory of 2544	2276	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4377e72a87737473ec4a3c19bc93b370023c14b8c4ba379dab8d69787620f32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4377e72a87737473ec4a3c19bc93b370023c14b8c4ba379dab8d69787620f32.dll,#1
  2⤵
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2544-133-0x0000000075030000-0x0000000075066000-memory.dmp

Filesize
216KB

Download
memory/2544-134-0x0000000000B10000-0x0000000000B13000-memory.dmp

Filesize
12KB

Download
memory/2544-136-0x0000000000B10000-0x0000000000B12000-memory.dmp

Filesize
8KB

Download
memory/2544-135-0x0000000000B10000-0x0000000000B13000-memory.dmp

Filesize
12KB

Download
memory/2544-137-0x0000000075030000-0x0000000075066000-memory.dmp

Filesize
216KB

Download
memory/2544-138-0x0000000075030000-0x0000000075066000-memory.dmp

Filesize
216KB

Download