Analysis
-
max time kernel
153s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 00:58
Behavioral task
behavioral1
Sample
f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll
-
Size
118KB
-
MD5
8c98c16c21b630d3aa9f60ef4a136d91
-
SHA1
4d5e376fe03e098e2b69ef3635ea6a59c57b866c
-
SHA256
f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4
-
SHA512
18b9568776c90d1679ed6cd8b5ecf6956eac29da6c4450139e40c772b0dd1db932ab1f9346054f7151c1d53988514cb622f0f07314423821b172720450f1fb59
-
SSDEEP
1536:H8DDS7LFiLjnavBSsOnOonMaPJtSNBeAt94nouy8Af206g:CIFYjnav4bnOAMaWeAt2outKG
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/5064-133-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/files/0x00060000000231a1-135.dat upx behavioral2/files/0x00060000000231a1-136.dat upx behavioral2/memory/1020-137-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/5064-138-0x0000000010000000-0x000000001001F000-memory.dmp upx behavioral2/memory/1020-139-0x0000000010000000-0x000000001001F000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 1020 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\msisue.dll rundll32.exe File created C:\Windows\msisue.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll,1314612079,-85730467,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe 1020 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2248 wrote to memory of 5064 2248 rundll32.exe 83 PID 2248 wrote to memory of 5064 2248 rundll32.exe 83 PID 2248 wrote to memory of 5064 2248 rundll32.exe 83 PID 5064 wrote to memory of 1020 5064 rundll32.exe 86 PID 5064 wrote to memory of 1020 5064 rundll32.exe 86 PID 5064 wrote to memory of 1020 5064 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msisue.dll",_RunAs@163⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118KB
MD58c98c16c21b630d3aa9f60ef4a136d91
SHA14d5e376fe03e098e2b69ef3635ea6a59c57b866c
SHA256f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4
SHA51218b9568776c90d1679ed6cd8b5ecf6956eac29da6c4450139e40c772b0dd1db932ab1f9346054f7151c1d53988514cb622f0f07314423821b172720450f1fb59
-
Filesize
118KB
MD58c98c16c21b630d3aa9f60ef4a136d91
SHA14d5e376fe03e098e2b69ef3635ea6a59c57b866c
SHA256f82429c7a82e44e3b73414d229cd572ce2ceada19cd192ef5f200c62d0464ad4
SHA51218b9568776c90d1679ed6cd8b5ecf6956eac29da6c4450139e40c772b0dd1db932ab1f9346054f7151c1d53988514cb622f0f07314423821b172720450f1fb59