Analysis
-
max time kernel
61s -
max time network
260s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2022 02:23
Static task
static1
Behavioral task
behavioral1
Sample
syncfiles32.dll
Resource
win7-20220812-en
windows7-x64
5 signatures
300 seconds
General
-
Target
syncfiles32.dll
-
Size
6.8MB
-
MD5
cc4eb5690903e06b55c7aded2023b88f
-
SHA1
0ad6db10bb08bda4bdb58bc609e1c10a1d97f859
-
SHA256
c25fcb9ebf8f56a91294910d0376986ca305ef1f7ce92750a19edec9a0d0c659
-
SHA512
0fbc292d3e754a388a11f052b5b0e58d66b3e2f35464e6c2736b3b2d0510e01240f945f2269e8a22bfad73a91024801da688a387a65f791f7d85d0ee91040408
-
SSDEEP
196608:Hf4HBWmiaZGDsFQKCT7IRSwMeDoegfaJ88:HfSBBgGQKlRieEegS28
Malware Config
Extracted
Family
systembc
C2
89.22.236.225:4193
176.124.205.5:4193
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 19 4900 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
rundll32.exepid process 4900 rundll32.exe 4900 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4900 rundll32.exe 4900 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4856 wrote to memory of 4900 4856 rundll32.exe rundll32.exe PID 4856 wrote to memory of 4900 4856 rundll32.exe rundll32.exe PID 4856 wrote to memory of 4900 4856 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\syncfiles32.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\syncfiles32.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses