da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63

Analysis

max time kernel
177s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63.dll
Size

264KB
MD5

82d91ef8289b7f0aea4edc94d2d07bbe
SHA1

30b165eda18b8d148fbf7d7815bcb62a9a128ba0
SHA256

da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63
SHA512

63d9821d168488be466f3372567b7358217993447daeec539fdd41b941415bc9be6beb599110ebee3fa849094777f03c0494fffcfb5e042219666a9c9090a368
SSDEEP

3072:1vcaf7lTZU5fPCfe8NiNj6agpoXlWpOuN5gX8ZelR0lYudOQUFDHq/K7K03oSErO:JbeWFpSWptgXXITUFDPK+oSEAK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\admggxp = "{034980BA-0FAD-4A1B-927D-EFDABD4FA96C}"	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{034980BA-0FAD-4A1B-927D-EFDABD4FA96C}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{034980BA-0FAD-4A1B-927D-EFDABD4FA96C}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{034980BA-0FAD-4A1B-927D-EFDABD4FA96C}\InProcServer32\ = "C:\\Windows\\admggxp.dll"	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4928	2280	rundll32.exe	78
PID 2280 wrote to memory of 4928	2280	rundll32.exe	78
PID 2280 wrote to memory of 4928	2280	rundll32.exe	78

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\da6952e3fcbce9afd0c372255600fb6f8325adbf66761868e6fb9576de406a63.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...