Analysis
-
max time kernel
153s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 21:03
Behavioral task
behavioral1
Sample
f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll
Resource
win7-20221111-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll
-
Size
34KB
-
MD5
bb4649bcff2d905824cb2af7bce8d461
-
SHA1
07f40c9fc35724c1d483a1de24e2d31dff31d91e
-
SHA256
f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958
-
SHA512
a439726579e611b15422fdd19c2f42168b5b6fbeb30440bcd35e2e2ac30d7989afe1eff516ffbdf772946996451fd483c40f59c78bf41b9a99e45d786352dbde
-
SSDEEP
768:2geUxHpbt4Vw3N0e2YkDVjK4trS2x7SoI/9WOBw61PafhCnbcuyD7UAfa:2xUHt4Vwd0nYSZJko6FC4nouy8Afa
Score
9/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000b00000001232f-59.dat acprotect -
resource yara_rule behavioral1/memory/2032-56-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral1/files/0x000b00000001232f-59.dat upx behavioral1/memory/1740-60-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral1/memory/2032-61-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral1/memory/1740-62-0x0000000010000000-0x000000001001E000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msisue.dll rundll32.exe File opened for modification C:\Windows\msisue.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll,1314612079,-85730467,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe 1740 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2032 1756 rundll32.exe 28 PID 1756 wrote to memory of 2032 1756 rundll32.exe 28 PID 1756 wrote to memory of 2032 1756 rundll32.exe 28 PID 1756 wrote to memory of 2032 1756 rundll32.exe 28 PID 1756 wrote to memory of 2032 1756 rundll32.exe 28 PID 1756 wrote to memory of 2032 1756 rundll32.exe 28 PID 1756 wrote to memory of 2032 1756 rundll32.exe 28 PID 2032 wrote to memory of 1740 2032 rundll32.exe 29 PID 2032 wrote to memory of 1740 2032 rundll32.exe 29 PID 2032 wrote to memory of 1740 2032 rundll32.exe 29 PID 2032 wrote to memory of 1740 2032 rundll32.exe 29 PID 2032 wrote to memory of 1740 2032 rundll32.exe 29 PID 2032 wrote to memory of 1740 2032 rundll32.exe 29 PID 2032 wrote to memory of 1740 2032 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msisue.dll",_RunAs@163⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5bb4649bcff2d905824cb2af7bce8d461
SHA107f40c9fc35724c1d483a1de24e2d31dff31d91e
SHA256f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958
SHA512a439726579e611b15422fdd19c2f42168b5b6fbeb30440bcd35e2e2ac30d7989afe1eff516ffbdf772946996451fd483c40f59c78bf41b9a99e45d786352dbde