Analysis
-
max time kernel
151s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 21:01
Behavioral task
behavioral1
Sample
b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396.dll
-
Size
122KB
-
MD5
fde43328343a93d7fdc0f0648b9dcea2
-
SHA1
ebe68cfd0a8080fdebd7f03f889df3f9a9787064
-
SHA256
b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396
-
SHA512
274f756122c4e9b099a8e67943de587c129a9efc5ea75674a1b331e80717e1592a99f8fb48b199efa05e5cdb11c62408829f06357a183b3dc9cdb3ff5ad48bbe
-
SSDEEP
1536:CtubDUw3lbQ0zTjb6CuI/CI+33gmv4YZSAjbqsbxI5yXnouy8dROQ:CcwooH33gmJb7tIyoutDOQ
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1884-133-0x0000000010000000-0x0000000010020000-memory.dmp upx behavioral2/files/0x0003000000022dfa-135.dat upx behavioral2/files/0x0003000000022dfa-136.dat upx behavioral2/memory/2400-137-0x0000000010000000-0x0000000010020000-memory.dmp upx behavioral2/memory/1884-138-0x0000000010000000-0x0000000010020000-memory.dmp upx behavioral2/memory/2400-139-0x0000000010000000-0x0000000010020000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 2400 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\lua.wkl rundll32.exe File created C:\Windows\mspime.dll rundll32.exe File opened for modification C:\Windows\mspime.dll rundll32.exe File opened for modification C:\Windows\lua.wkl rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396.dll,1312254664,1947795251,-352895392" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4572 wrote to memory of 1884 4572 rundll32.exe 76 PID 4572 wrote to memory of 1884 4572 rundll32.exe 76 PID 4572 wrote to memory of 1884 4572 rundll32.exe 76 PID 1884 wrote to memory of 2400 1884 rundll32.exe 77 PID 1884 wrote to memory of 2400 1884 rundll32.exe 77 PID 1884 wrote to memory of 2400 1884 rundll32.exe 77
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\mspime.dll",_RunAs@163⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5fde43328343a93d7fdc0f0648b9dcea2
SHA1ebe68cfd0a8080fdebd7f03f889df3f9a9787064
SHA256b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396
SHA512274f756122c4e9b099a8e67943de587c129a9efc5ea75674a1b331e80717e1592a99f8fb48b199efa05e5cdb11c62408829f06357a183b3dc9cdb3ff5ad48bbe
-
Filesize
122KB
MD5fde43328343a93d7fdc0f0648b9dcea2
SHA1ebe68cfd0a8080fdebd7f03f889df3f9a9787064
SHA256b982eeb418550b1d3f7978c09e5acbb7b85374d9a2e7503a099d4823fdf70396
SHA512274f756122c4e9b099a8e67943de587c129a9efc5ea75674a1b331e80717e1592a99f8fb48b199efa05e5cdb11c62408829f06357a183b3dc9cdb3ff5ad48bbe