Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 21:03
Behavioral task
behavioral1
Sample
f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll
-
Size
34KB
-
MD5
bb4649bcff2d905824cb2af7bce8d461
-
SHA1
07f40c9fc35724c1d483a1de24e2d31dff31d91e
-
SHA256
f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958
-
SHA512
a439726579e611b15422fdd19c2f42168b5b6fbeb30440bcd35e2e2ac30d7989afe1eff516ffbdf772946996451fd483c40f59c78bf41b9a99e45d786352dbde
-
SSDEEP
768:2geUxHpbt4Vw3N0e2YkDVjK4trS2x7SoI/9WOBw61PafhCnbcuyD7UAfa:2xUHt4Vwd0nYSZJko6FC4nouy8Afa
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0004000000022dc0-135.dat acprotect behavioral2/files/0x0004000000022dc0-136.dat acprotect -
resource yara_rule behavioral2/memory/4060-133-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral2/files/0x0004000000022dc0-135.dat upx behavioral2/files/0x0004000000022dc0-136.dat upx behavioral2/memory/5036-137-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral2/memory/4060-138-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral2/memory/5036-139-0x0000000010000000-0x000000001001E000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 5036 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msisue.dll rundll32.exe File opened for modification C:\Windows\msisue.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll,1314612079,-85730467,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe 5036 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 992 wrote to memory of 4060 992 rundll32.exe 81 PID 992 wrote to memory of 4060 992 rundll32.exe 81 PID 992 wrote to memory of 4060 992 rundll32.exe 81 PID 4060 wrote to memory of 5036 4060 rundll32.exe 82 PID 4060 wrote to memory of 5036 4060 rundll32.exe 82 PID 4060 wrote to memory of 5036 4060 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msisue.dll",_RunAs@163⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5bb4649bcff2d905824cb2af7bce8d461
SHA107f40c9fc35724c1d483a1de24e2d31dff31d91e
SHA256f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958
SHA512a439726579e611b15422fdd19c2f42168b5b6fbeb30440bcd35e2e2ac30d7989afe1eff516ffbdf772946996451fd483c40f59c78bf41b9a99e45d786352dbde
-
Filesize
34KB
MD5bb4649bcff2d905824cb2af7bce8d461
SHA107f40c9fc35724c1d483a1de24e2d31dff31d91e
SHA256f33532825864ca39636ac14932b70aaac61bacb888887307e91d553006b50958
SHA512a439726579e611b15422fdd19c2f42168b5b6fbeb30440bcd35e2e2ac30d7989afe1eff516ffbdf772946996451fd483c40f59c78bf41b9a99e45d786352dbde