a7168b052e1aca78b1e5916e55e9bec62ec349209b50fd684629a745b0ef650e

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 00:56

Target

a7168b052e1aca78b1e5916e55e9bec62ec349209b50fd684629a745b0ef650e.dll
Size

25KB
MD5

c67a682c92d2ece218c771b8f7bf202a
SHA1

c9f67e97a73c5f9e52a9fa22ed699fc733bb4da4
SHA256

a7168b052e1aca78b1e5916e55e9bec62ec349209b50fd684629a745b0ef650e
SHA512

62fb4974c0cf8da7c0dd08881499939d2a84f2295cbe4eed9518312e57a4b1129507cf2498d48ba5de354da8890d6bf0235bdb655daeb54548b6ff8e58c87e20
SSDEEP

384:Sc/Rdt4Kfi4nGvAAqeTgEBxwFFxedoA+OO1aAtfmzhzT8ltJQbHNYmsYaYmpAM:S2ZGvAAqeTFBiJedJOIPzhk9sYYHM

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\msvcr.dll	rundll32.exe
File opened for modification	C:\Windows\msvcr.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "a7168b052e1aca78b1e5916e55e9bec62ec349209b50fd684629a745b0ef650e.dll,1285608496,1563368310,-1814625877"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1528	1352	rundll32.exe	26
PID 1352 wrote to memory of 1528	1352	rundll32.exe	26
PID 1352 wrote to memory of 1528	1352	rundll32.exe	26
PID 1352 wrote to memory of 1528	1352	rundll32.exe	26
PID 1352 wrote to memory of 1528	1352	rundll32.exe	26
PID 1352 wrote to memory of 1528	1352	rundll32.exe	26
PID 1352 wrote to memory of 1528	1352	rundll32.exe	26
PID 1528 wrote to memory of 1152	1528	rundll32.exe	27
PID 1528 wrote to memory of 1152	1528	rundll32.exe	27
PID 1528 wrote to memory of 1152	1528	rundll32.exe	27
PID 1528 wrote to memory of 1152	1528	rundll32.exe	27
PID 1528 wrote to memory of 1152	1528	rundll32.exe	27
PID 1528 wrote to memory of 1152	1528	rundll32.exe	27
PID 1528 wrote to memory of 1152	1528	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7168b052e1aca78b1e5916e55e9bec62ec349209b50fd684629a745b0ef650e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7168b052e1aca78b1e5916e55e9bec62ec349209b50fd684629a745b0ef650e.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\msvcr.dll",_RunAs@0
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1152

C:\Windows\msvcr.dll

Filesize
25KB

MD5
c67a682c92d2ece218c771b8f7bf202a

SHA1
c9f67e97a73c5f9e52a9fa22ed699fc733bb4da4

SHA256
a7168b052e1aca78b1e5916e55e9bec62ec349209b50fd684629a745b0ef650e

SHA512
62fb4974c0cf8da7c0dd08881499939d2a84f2295cbe4eed9518312e57a4b1129507cf2498d48ba5de354da8890d6bf0235bdb655daeb54548b6ff8e58c87e20

Download Submit
memory/1152-60-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/1528-55-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1528-59-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download