ta505 | 07460cf7f28c74d299bba9224e0e5c61b89507fe154b4e32bb4232d0e4a6c1dd

Analysis

max time kernel
136s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2022 21:26

Target

07460cf7f28c74d299bba9224e0e5c61b89507fe154b4e32bb4232d0e4a6c1dd.dll
Size

109KB
MD5

4930cfb3e6a4ce0c8f9949eea8f5c866
SHA1

4bac97be88f2aefb1ba73940376ad50c6f40e3ca
SHA256

07460cf7f28c74d299bba9224e0e5c61b89507fe154b4e32bb4232d0e4a6c1dd
SHA512

45c2db121ff7591db172b4c3390f7b71609e81cdc34dc0f46aeb17bf10acf59bb3d13f3734dbf918ec7c110c1bb6068ca7ca113b64d29f828e11f60c372627a0
SSDEEP

3072:1Ys2ZIHpK5RiQXKguYerHOOJWuljeaQLJO:1YlSK3i8Heaqy7LJO

Score

10^/10

ta505

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4764	4868	regsvr32.exe	80
PID 4868 wrote to memory of 4764	4868	regsvr32.exe	80
PID 4868 wrote to memory of 4764	4868	regsvr32.exe	80
PID 4764 wrote to memory of 912	4764	regsvr32.exe	83
PID 4764 wrote to memory of 912	4764	regsvr32.exe	83
PID 4764 wrote to memory of 912	4764	regsvr32.exe	83
PID 2288 wrote to memory of 4876	2288	explorer.exe	85
PID 2288 wrote to memory of 4876	2288	explorer.exe	85
PID 4876 wrote to memory of 4220	4876	cmd.exe	88
PID 4876 wrote to memory of 4220	4876	cmd.exe	88
PID 4220 wrote to memory of 220	4220	rundll32.exe	89
PID 4220 wrote to memory of 220	4220	rundll32.exe	89
PID 4220 wrote to memory of 220	4220	rundll32.exe	89

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\07460cf7f28c74d299bba9224e0e5c61b89507fe154b4e32bb4232d0e4a6c1dd.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\07460cf7f28c74d299bba9224e0e5c61b89507fe154b4e32bb4232d0e4a6c1dd.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe "C:\Users\Admin\AppData\Local\Temp\C6AB.tmp.bat"
    3⤵
    PID:912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C6AB.tmp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\07460cf7f28c74d299bba9224e0e5c61b89507fe154b4e32bb4232d0e4a6c1dd.dll",DllRegisterServer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\07460cf7f28c74d299bba9224e0e5c61b89507fe154b4e32bb4232d0e4a6c1dd.dll",DllRegisterServer
      4⤵
      PID:220

C:\Users\Admin\AppData\Local\Temp\C6AB.tmp.bat

Filesize
162B

MD5
65afd6c6066dee6a9ca0bff6f1c25be3

SHA1
ebc077b141e5c2026030284f1d970dcfbf126957

SHA256
33f1cab28e844e8320b7e1f4963f404b1fcc17f10b3382734cee4e0cb8843ff6

SHA512
6a3b186f3e22c86ea9a801de53f6b7b0d5d87bebc7c65151c3ac374334e6ff68eca92b82b6168ca805d15d04fe7603cf61f6b8919f18f5801006c3f5a24526c8

Download Submit