Analysis
-
max time kernel
205s -
max time network
247s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 17:33
Behavioral task
behavioral1
Sample
e5aff8bf4b3fd44b7b1667b2909ce4393deca1f762bd0aebefaa18b47e5a59c7.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e5aff8bf4b3fd44b7b1667b2909ce4393deca1f762bd0aebefaa18b47e5a59c7.dll
Resource
win10v2004-20221111-en
General
-
Target
e5aff8bf4b3fd44b7b1667b2909ce4393deca1f762bd0aebefaa18b47e5a59c7.dll
-
Size
122KB
-
MD5
5b7070549292c232888fffd2a858ceb3
-
SHA1
eaee91a242e4cf7731e3f1527ad2eff3f4ddf97f
-
SHA256
e5aff8bf4b3fd44b7b1667b2909ce4393deca1f762bd0aebefaa18b47e5a59c7
-
SHA512
e47d7632fba256b2935eade7c82d0d2a4671947ce076144763fb2531b51b7f9c187169f130e5ce6e900cafedd6d63098d84b5dcad8c8430ee587f8d279a44b58
-
SSDEEP
3072:of9xHwm1PXBmXZFeA28pMGEdePl9dehiv80P80Cnp8d6R:wdwaWB28adeP/deUv80P80Ap8a
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 3 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07546764-ADCD-31c8-82A6-F4D093B1724D}\ = "ϵͳÉèÖÃ" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07546764-ADCD-31c8-82A6-F4D093B1724D}\stubpath rundll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{07546764-ADCD-31c8-82A6-F4D093B1724D} rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2848 wrote to memory of 424 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 424 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 424 2848 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5aff8bf4b3fd44b7b1667b2909ce4393deca1f762bd0aebefaa18b47e5a59c7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5aff8bf4b3fd44b7b1667b2909ce4393deca1f762bd0aebefaa18b47e5a59c7.dll,#12⤵
- Modifies Installed Components in the registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/424-132-0x0000000000000000-mapping.dmp