f6494a3feb74399bcb227f5247342d456167ddd2d92747b70182b30b18408049

Analysis

max time kernel
242s
max time network
264s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 11:13

Target

f6494a3feb74399bcb227f5247342d456167ddd2d92747b70182b30b18408049.dll
Size

39KB
MD5

83fc87420e017a9749347e5927f39408
SHA1

ca61b8da1c491700d506771e53734b1d5334b006
SHA256

f6494a3feb74399bcb227f5247342d456167ddd2d92747b70182b30b18408049
SHA512

102b993439ee2e111c3eb1d91aa86a228eff3d9847dce03c420756019fcffb7dada33fcd4909aaa0b039be9e0ac6ebe161def9bc82d5c0376ec215e5a10a75e9
SSDEEP

768:0T2MU1esVbohjfn6vVn/4icy8gNfPyru8A2lKGKyNQ1j6c56oW7S:M2MUZbY2GicUNfPXkQ1j6rq

Score

1^/10

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{997654B6-8B76-58F8-77ED-1AC1B7329400}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{997654B6-8B76-58F8-77ED-1AC1B7329400}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6494a3feb74399bcb227f5247342d456167ddd2d92747b70182b30b18408049.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{997654B6-8B76-58F8-77ED-1AC1B7329400}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{997654B6-8B76-58F8-77ED-1AC1B7329400}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{997654B6-8B76-58F8-77ED-1AC1B7329400}\ = "f6494a3feb7"	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2760	2876	rundll32.exe	80
PID 2876 wrote to memory of 2760	2876	rundll32.exe	80
PID 2876 wrote to memory of 2760	2876	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6494a3feb74399bcb227f5247342d456167ddd2d92747b70182b30b18408049.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6494a3feb74399bcb227f5247342d456167ddd2d92747b70182b30b18408049.dll,#1
  2⤵
  - Modifies registry class
  PID:2760

memory/2760-133-0x000000007FD00000-0x000000007FD09000-memory.dmp

Filesize
36KB

Download
memory/2760-134-0x000000007FCE0000-0x000000007FCF1000-memory.dmp

Filesize
68KB

Download
memory/2760-135-0x000000007FD00000-0x000000007FD09000-memory.dmp

Filesize
36KB

Download
memory/2760-136-0x000000007FCE0000-0x000000007FCF1000-memory.dmp

Filesize
68KB

Download