aa54bed24d0dcd58305b9ea20c656d9f9dd1d3e90a7de0cb21ba444fd99d1de7

Analysis

max time kernel
57s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 18:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa54bed24d0dcd58305b9ea20c656d9f9dd1d3e90a7de0cb21ba444fd99d1de7.dll
Size

77KB
MD5

5b21c591d36a66b3c736a380f22271ea
SHA1

753fe4c6ab2c472de6c1cc4569f0661f215ac537
SHA256

aa54bed24d0dcd58305b9ea20c656d9f9dd1d3e90a7de0cb21ba444fd99d1de7
SHA512

9a6d5eb95844e46612a02fddf833595c06ef59516d35274bac708bc9da5941ceae2ecac6760bc39b972c4197b2130065e857fb8e40ab7b8d2ae23c53d6ab1a03
SSDEEP

1536:Ql4Ol0PGc4R8Pv4Dw1yUpbQFnToIfxgY0r5ZmNiTJbr:Forc4RA8w1yUpbQtTBfxgY0r5ZmNiTJP

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MediabCentero\Parameters\ServiceDll	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2004	2028	rundll32.exe	28
PID 2028 wrote to memory of 2004	2028	rundll32.exe	28
PID 2028 wrote to memory of 2004	2028	rundll32.exe	28
PID 2028 wrote to memory of 2004	2028	rundll32.exe	28
PID 2028 wrote to memory of 2004	2028	rundll32.exe	28
PID 2028 wrote to memory of 2004	2028	rundll32.exe	28
PID 2028 wrote to memory of 2004	2028	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa54bed24d0dcd58305b9ea20c656d9f9dd1d3e90a7de0cb21ba444fd99d1de7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa54bed24d0dcd58305b9ea20c656d9f9dd1d3e90a7de0cb21ba444fd99d1de7.dll,#1
  2⤵
  - Sets DLL path for service in the registry
  PID:2004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
PID:1328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-55-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download