dcf623540207c96fa559e8851828ef277f6bf82f5025fafd6eeac33ed166e10d

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2023 19:48

Target

1c220cdc.dll
Size

110KB
MD5

0993776328ea1684833f09868032549c
SHA1

ed7779094d6dce79be2252807e28c59aec8590b3
SHA256

caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a
SHA512

19f83a1718e3330e9fb0bbd61b6c21e569740d7cd22d3c2a600d9a717feaa663297d777e526dbc9c4d02beb6c3c5e12bd417058bf7995798a5c61350e5c35502
SSDEEP

3072:0LJ0tYRDh8zCTFGMCcKh0ff87FhtHW43tNncyIEyNlO:0LGtkl8zCTFGM1QA07btHW4TcjTvO

Score

1^/10

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1648	5096	regsvr32.exe	80
PID 5096 wrote to memory of 1648	5096	regsvr32.exe	80
PID 5096 wrote to memory of 1648	5096	regsvr32.exe	80
PID 1648 wrote to memory of 764	1648	regsvr32.exe	88
PID 1648 wrote to memory of 764	1648	regsvr32.exe	88
PID 1648 wrote to memory of 764	1648	regsvr32.exe	88
PID 3120 wrote to memory of 1496	3120	explorer.exe	90
PID 3120 wrote to memory of 1496	3120	explorer.exe	90
PID 1496 wrote to memory of 2844	1496	cmd.exe	93
PID 1496 wrote to memory of 2844	1496	cmd.exe	93
PID 2844 wrote to memory of 1396	2844	rundll32.exe	94
PID 2844 wrote to memory of 1396	2844	rundll32.exe	94
PID 2844 wrote to memory of 1396	2844	rundll32.exe	94

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1c220cdc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1c220cdc.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe "C:\Users\Admin\AppData\Local\Temp\1519.tmp.bat"
    3⤵
    PID:764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1519.tmp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\1c220cdc.dll",DllRegisterServer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\1c220cdc.dll",DllRegisterServer
      4⤵
      PID:1396

C:\Users\Admin\AppData\Local\Temp\1519.tmp.bat

Filesize
106B

MD5
ff0d434d832974419893789cfbe870b2

SHA1
9571a6aa13b451e50f805effabc1c817941fc6ec

SHA256
b12285c8f760d7ba1acec9d167ed772653b808c34c85304946a95bc8cb7f94b2

SHA512
677085db803a375eb90bc1305c849f1c05317e60de0fbe18bef706850daf399ec78373dd11216005921474bb6a8cb4bc910f3596d67717cd49a46e3b79a66da0

Download Submit