Analysis
-
max time kernel
152s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 04:17
Static task
static1
Behavioral task
behavioral1
Sample
7d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
7d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
7d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72.dll
-
Size
29KB
-
MD5
5c82817b5b4ea12ea05d1bc1d6eaead9
-
SHA1
a8cfac271e9c36f0d30b577dae19e1c948550e3b
-
SHA256
7d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72
-
SHA512
51f1a0d576e1a8cc2e054228d59fbda5026ce83f26ea97148b1aecad21fcd2e29f60d371f358b1b2814fe1e581a8b9989e6d725eb0d06bb90b93cf6f0fdc4645
-
SSDEEP
768:pDdabwEogyKmNCj4jGsmSfuwKwmjZ3kp8eMEvE1gdjYL:pDcbwEogyx68pvmN3kCTEc1gxYL
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 220 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lua.wkl rundll32.exe File opened for modification C:\Windows\SysWOW64\lua.wkl rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msocx.dll rundll32.exe File opened for modification C:\Windows\msocx.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "7d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72.dll,1293806945,-2036409223,-352895392" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3492 wrote to memory of 1076 3492 rundll32.exe 83 PID 3492 wrote to memory of 1076 3492 rundll32.exe 83 PID 3492 wrote to memory of 1076 3492 rundll32.exe 83 PID 1076 wrote to memory of 220 1076 rundll32.exe 86 PID 1076 wrote to memory of 220 1076 rundll32.exe 86 PID 1076 wrote to memory of 220 1076 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72.dll,#12⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msocx.dll",_RunAs@163⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD55c82817b5b4ea12ea05d1bc1d6eaead9
SHA1a8cfac271e9c36f0d30b577dae19e1c948550e3b
SHA2567d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72
SHA51251f1a0d576e1a8cc2e054228d59fbda5026ce83f26ea97148b1aecad21fcd2e29f60d371f358b1b2814fe1e581a8b9989e6d725eb0d06bb90b93cf6f0fdc4645
-
Filesize
29KB
MD55c82817b5b4ea12ea05d1bc1d6eaead9
SHA1a8cfac271e9c36f0d30b577dae19e1c948550e3b
SHA2567d865dac017dc32279a1e8e64b6310870088821e412cc47f9a7a917b43a26f72
SHA51251f1a0d576e1a8cc2e054228d59fbda5026ce83f26ea97148b1aecad21fcd2e29f60d371f358b1b2814fe1e581a8b9989e6d725eb0d06bb90b93cf6f0fdc4645