b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c

Analysis

max time kernel
129s
max time network
145s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll
Size

53KB
MD5

0d4d4a2a8c6708388fbe5e6629494426
SHA1

e48cbb3fa40dac6680839a60f465da7f72251fba
SHA256

b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c
SHA512

b1999ad5344f65e2925548baa14e1eea3d815705ef44ca64c1a8b42a5667da8e45970570b02616e0c4233851c61e93a7a33db645d97ac9a1dc24ca814c1f636e
SSDEEP

768:T/k0hbl6VPrPmORgj46Z/wrOjOFwJxkEXkRJ8NeJRCvCuovQrSmLBfQFwLS:Npl6VzPRt6RGw0PRCvCuo0S6YFn

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
892	netsh.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 1216	1696	rundll32.exe	28

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1696	852	rundll32.exe	27
PID 852 wrote to memory of 1696	852	rundll32.exe	27
PID 852 wrote to memory of 1696	852	rundll32.exe	27
PID 852 wrote to memory of 1696	852	rundll32.exe	27
PID 852 wrote to memory of 1696	852	rundll32.exe	27
PID 852 wrote to memory of 1696	852	rundll32.exe	27
PID 852 wrote to memory of 1696	852	rundll32.exe	27
PID 1696 wrote to memory of 1216	1696	rundll32.exe	28
PID 1696 wrote to memory of 1216	1696	rundll32.exe	28
PID 1696 wrote to memory of 1216	1696	rundll32.exe	28
PID 1696 wrote to memory of 1216	1696	rundll32.exe	28
PID 1696 wrote to memory of 1216	1696	rundll32.exe	28
PID 1216 wrote to memory of 892	1216	svchost.exe	29
PID 1216 wrote to memory of 892	1216	svchost.exe	29
PID 1216 wrote to memory of 892	1216	svchost.exe	29
PID 1216 wrote to memory of 892	1216	svchost.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b221dc624e5fe9e277de1b71d24d739e1afb5292a14a76dacc5bb86856fe8d0c.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set allowedprogram "%systemroot%\system32\scvhost.exe" enable
      4⤵
      Modifies Windows Firewall
      PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-55-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download