Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 05:34
Behavioral task
behavioral1
Sample
cd2797f8c99d10409ba047e3a9e6598de0c25c85a9e563bc219d323f01898bf1.dll
Resource
win7-20220812-en
windows7-x64
9 signatures
150 seconds
General
-
Target
cd2797f8c99d10409ba047e3a9e6598de0c25c85a9e563bc219d323f01898bf1.dll
-
Size
22KB
-
MD5
a2d665eeb1464829c9ee9c36cf0bd845
-
SHA1
4f937bbc63e9b58bd6facd2c07283834d7b1857d
-
SHA256
cd2797f8c99d10409ba047e3a9e6598de0c25c85a9e563bc219d323f01898bf1
-
SHA512
ac2e2bc00a819e1f2c2cba0b31663dc700d1dbba4d767766d7a0e1cc195ae71ff277a74367fdbb5d6fb55f6f67b889b9d914958a2fdc5de8b7d0dae8919320b7
-
SSDEEP
384:FTVRYBcwA6o/dnv6TjKAQXL8/+s5+PHtz9qGPHwSszYWujfvSyvYwhERt/hnOkSV:FTVgATvojKBoWsYP31PHw8WBygwuRnkV
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ = "C:\\Windows\\SysWOW64\\rundll32.exe:*:Enabled:rundll32" rundll32.exe -
resource yara_rule behavioral1/memory/2016-56-0x0000000010000000-0x0000000010041000-memory.dmp upx behavioral1/memory/2016-57-0x0000000010000000-0x0000000010041000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hrpdcf.bin rundll32.exe File opened for modification C:\Windows\SysWOW64\chinastar.key rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 316 2016 WerFault.exe 27 -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2016 rundll32.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2016 1672 rundll32.exe 27 PID 1672 wrote to memory of 2016 1672 rundll32.exe 27 PID 1672 wrote to memory of 2016 1672 rundll32.exe 27 PID 1672 wrote to memory of 2016 1672 rundll32.exe 27 PID 1672 wrote to memory of 2016 1672 rundll32.exe 27 PID 1672 wrote to memory of 2016 1672 rundll32.exe 27 PID 1672 wrote to memory of 2016 1672 rundll32.exe 27 PID 2016 wrote to memory of 316 2016 rundll32.exe 28 PID 2016 wrote to memory of 316 2016 rundll32.exe 28 PID 2016 wrote to memory of 316 2016 rundll32.exe 28 PID 2016 wrote to memory of 316 2016 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd2797f8c99d10409ba047e3a9e6598de0c25c85a9e563bc219d323f01898bf1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd2797f8c99d10409ba047e3a9e6598de0c25c85a9e563bc219d323f01898bf1.dll,#12⤵
- Modifies firewall policy service
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 3723⤵
- Program crash
PID:316
-
-