Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 00:59
Behavioral task
behavioral1
Sample
99e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
99e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
99e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0.dll
-
Size
34KB
-
MD5
c0c54b0e26c68711f1caafb3bcac215f
-
SHA1
4fe2cbbab496293ad4c2a2de9bab7d97d789dfa7
-
SHA256
99e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0
-
SHA512
0ba75240b37a105ad2365545651672156de2b432a4462407d8ef8626ffe59e27911c5e51d8f3ee0a14f0fae1d38110ce5f36120e83ccd4569fad9fa8fcac00f6
-
SSDEEP
768:1geUxHpbt4Vw3N0e2YkDVjK4trS2x7SoI/9WOBw61PafhCnbcuyD7UAfa:1xUHt4Vwd0nYSZJko6FC4nouy8Afa
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0009000000022df7-135.dat acprotect behavioral2/files/0x0009000000022df7-136.dat acprotect -
resource yara_rule behavioral2/memory/2064-133-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral2/files/0x0009000000022df7-135.dat upx behavioral2/files/0x0009000000022df7-136.dat upx behavioral2/memory/3328-137-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral2/memory/2064-138-0x0000000010000000-0x000000001001E000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 3328 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msisue.dll rundll32.exe File opened for modification C:\Windows\msisue.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "99e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0.dll,1314612079,-85730467,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe 3328 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4292 wrote to memory of 2064 4292 rundll32.exe 78 PID 4292 wrote to memory of 2064 4292 rundll32.exe 78 PID 4292 wrote to memory of 2064 4292 rundll32.exe 78 PID 2064 wrote to memory of 3328 2064 rundll32.exe 79 PID 2064 wrote to memory of 3328 2064 rundll32.exe 79 PID 2064 wrote to memory of 3328 2064 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msisue.dll",_RunAs@163⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3328
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5c0c54b0e26c68711f1caafb3bcac215f
SHA14fe2cbbab496293ad4c2a2de9bab7d97d789dfa7
SHA25699e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0
SHA5120ba75240b37a105ad2365545651672156de2b432a4462407d8ef8626ffe59e27911c5e51d8f3ee0a14f0fae1d38110ce5f36120e83ccd4569fad9fa8fcac00f6
-
Filesize
34KB
MD5c0c54b0e26c68711f1caafb3bcac215f
SHA14fe2cbbab496293ad4c2a2de9bab7d97d789dfa7
SHA25699e4cdcecca54884789080bf8267d9499cd3de189236190ec24b41c273de4ec0
SHA5120ba75240b37a105ad2365545651672156de2b432a4462407d8ef8626ffe59e27911c5e51d8f3ee0a14f0fae1d38110ce5f36120e83ccd4569fad9fa8fcac00f6