f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 00:58

Target

f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll
Size

118KB
MD5

8c98c16c21b630d3aa9f60ef4a136d91
SHA1

4d5e376fe03e098e2b69ef3635ea6a59c57b866c
SHA256

f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4
SHA512

18b9568776c90d1679ed6cd8b5ecf6956eac29da6c4450139e40c772b0dd1db932ab1f9346054f7151c1d53988514cb622f0f07314423821b172720450f1fb59
SSDEEP

1536:H8DDS7LFiLjnavBSsOnOonMaPJtSNBeAt94nouy8Af206g:CIFYjnav4bnOAMaWeAt2outKG

Score

8^/10

upx

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1712-56-0x0000000010000000-0x000000001001F000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/memory/1352-60-0x0000000010000000-0x000000001001F000-memory.dmp	upx
behavioral1/memory/1712-61-0x0000000010000000-0x000000001001F000-memory.dmp	upx
behavioral1/memory/1352-62-0x0000000010000000-0x000000001001F000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msisue.dll	rundll32.exe
File created	C:\Windows\msisue.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll,1314612079,-85730467,-1814625877"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1712	1636	rundll32.exe	27
PID 1636 wrote to memory of 1712	1636	rundll32.exe	27
PID 1636 wrote to memory of 1712	1636	rundll32.exe	27
PID 1636 wrote to memory of 1712	1636	rundll32.exe	27
PID 1636 wrote to memory of 1712	1636	rundll32.exe	27
PID 1636 wrote to memory of 1712	1636	rundll32.exe	27
PID 1636 wrote to memory of 1712	1636	rundll32.exe	27
PID 1712 wrote to memory of 1352	1712	rundll32.exe	28
PID 1712 wrote to memory of 1352	1712	rundll32.exe	28
PID 1712 wrote to memory of 1352	1712	rundll32.exe	28
PID 1712 wrote to memory of 1352	1712	rundll32.exe	28
PID 1712 wrote to memory of 1352	1712	rundll32.exe	28
PID 1712 wrote to memory of 1352	1712	rundll32.exe	28
PID 1712 wrote to memory of 1352	1712	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\msisue.dll",_RunAs@16
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1352

C:\Windows\msisue.dll

Filesize
118KB

MD5
8c98c16c21b630d3aa9f60ef4a136d91

SHA1
4d5e376fe03e098e2b69ef3635ea6a59c57b866c

SHA256
f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4

SHA512
18b9568776c90d1679ed6cd8b5ecf6956eac29da6c4450139e40c772b0dd1db932ab1f9346054f7151c1d53988514cb622f0f07314423821b172720450f1fb59

Download Submit
memory/1352-60-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1352-62-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1712-55-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1712-56-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1712-61-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download