Overview

overview

8

Static

static

d224ee4c93...62.dll

windows7-x64

8

d224ee4c93...62.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d224ee4c9385c0cd3f28cfb15576463ff72a2f6e60db129e6c7be3d7ac1ae962.dll

  • Size

    1.5MB

  • MD5

    c5d86aadcff6c25cddb564629cfffc59

  • SHA1

    757f779daf4fe13c54e2ddc739c52e1e53e713a2

  • SHA256

    d224ee4c9385c0cd3f28cfb15576463ff72a2f6e60db129e6c7be3d7ac1ae962

  • SHA512

    e3f084927de91908590df8b419caf55fd81c5b00b25cbc434e00ccb19760104ce0ac1c330194102f95ba047f1533d6ce75697ad6d58062683d3cbfb8290f9139

  • SSDEEP

    3072:er7/bDCwYqINL9rQ1/UnLoJRc/ehNT8X3l1Hjr/r7:6CfhdQ1/GcJRi0eX

Score
8/10
persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d224ee4c9385c0cd3f28cfb15576463ff72a2f6e60db129e6c7be3d7ac1ae962.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d224ee4c9385c0cd3f28cfb15576463ff72a2f6e60db129e6c7be3d7ac1ae962.dll,#1
      2⤵
      • Sets DLL path for service in the registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c net start COMSysApp
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Windows\SysWOW64\net.exe
          net start COMSysApp
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:432
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start COMSysApp
            5⤵
              PID:1436
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c net start SENS
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:804
          • C:\Windows\SysWOW64\net.exe
            net start SENS
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1752
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start SENS
              5⤵
                PID:1320
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        1⤵
          PID:588
        • C:\Windows\system32\dllhost.exe
          C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
          1⤵
          • Drops file in Windows directory
          PID:336

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1056-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1056-56-0x0000000000200000-0x0000000000250000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1056-58-0x0000000000190000-0x00000000001B6000-memory.dmp

          Filesize

          152KB

          Download