Analysis Overview
SHA256
0d27af26366f183e53856cc8bb5ef9c30c45ea63e4dc28420b1305553a8ab87b
Threat Level: Known bad
The file Malware.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Unsigned PE
Gathers network information
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-10 17:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-10 17:49
Reported
2023-05-10 18:00
Platform
win10-20230220-en
Max time kernel
376s
Max time network
440s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1396 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-05-10 17:49
Reported
2023-05-10 18:00
Platform
win7-20230220-en
Max time kernel
600s
Max time network
600s
Command Line
Signatures
Qakbot/Qbot
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe Dropsically.Spinose print
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe Dropsically.Spinose print
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\ping.exe
ping -n 3 yahoo.com
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\whoami.exe
whoami /all
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 8.8.8.8:53 | cisco.com | udp |
| US | 72.163.4.185:443 | cisco.com | tcp |
| US | 8.8.8.8:53 | www.cisco.com | udp |
| NL | 23.222.34.209:443 | www.cisco.com | tcp |
| US | 72.163.4.185:443 | cisco.com | tcp |
| NL | 23.222.34.209:443 | www.cisco.com | tcp |
| US | 72.163.4.185:443 | cisco.com | tcp |
| NL | 23.222.34.209:443 | www.cisco.com | tcp |
| US | 72.163.4.185:443 | cisco.com | tcp |
| NL | 23.222.34.209:443 | www.cisco.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| TN | 41.227.211.88:443 | tcp | |
| TN | 41.227.211.88:443 | tcp | |
| TN | 41.227.211.88:443 | tcp | |
| TN | 41.227.211.88:443 | tcp | |
| PT | 188.83.251.100:443 | 188.83.251.100 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| NL | 23.72.252.170:80 | crl.microsoft.com | tcp |
| NL | 173.223.113.131:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| PT | 188.83.251.100:443 | 188.83.251.100 | tcp |
| PT | 188.83.251.100:443 | 188.83.251.100 | tcp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.81.111.85:443 | microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 173.223.113.131:443 | www.microsoft.com | tcp |
| US | 20.81.111.85:443 | microsoft.com | tcp |
| NL | 173.223.113.131:443 | www.microsoft.com | tcp |
| US | 20.81.111.85:443 | microsoft.com | tcp |
| NL | 173.223.113.131:443 | www.microsoft.com | tcp |
| US | 20.81.111.85:443 | microsoft.com | tcp |
| NL | 173.223.113.131:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | irs.gov | udp |
| US | 152.216.7.110:443 | irs.gov | tcp |
| US | 8.8.8.8:53 | www.irs.gov | udp |
| US | 104.77.224.126:443 | www.irs.gov | tcp |
| US | 152.216.7.110:443 | irs.gov | tcp |
| US | 104.77.224.126:443 | www.irs.gov | tcp |
| US | 152.216.7.110:443 | irs.gov | tcp |
| US | 104.77.224.126:443 | www.irs.gov | tcp |
| US | 152.216.7.110:443 | irs.gov | tcp |
| US | 104.77.224.126:443 | www.irs.gov | tcp |
| US | 8.8.8.8:53 | broadcom.com | udp |
| US | 52.13.171.212:443 | broadcom.com | tcp |
| US | 8.8.8.8:53 | www.broadcom.com | udp |
| US | 172.64.155.106:443 | www.broadcom.com | tcp |
| PT | 188.83.251.100:443 | 188.83.251.100 | tcp |
Files
memory/1236-54-0x0000000000130000-0x0000000000133000-memory.dmp
memory/1236-55-0x0000000010000000-0x0000000010024000-memory.dmp
memory/1504-60-0x0000000000080000-0x0000000000082000-memory.dmp
memory/1504-61-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-62-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-63-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-64-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-65-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-66-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-67-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-69-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-72-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-73-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-75-0x00000000000E0000-0x0000000000104000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\Tar3E40.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
memory/1504-578-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-579-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-581-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-582-0x00000000000E0000-0x0000000000104000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | e21eed460985b69dae4c53ef60ced22c |
| SHA1 | 6119e6c4634ac155ce5e2f1844bc4adcf25cf442 |
| SHA256 | 8e9d0a5cdbf6dbd65844587293b9ff7bb183a0a40742ff54ec135f7624cb232e |
| SHA512 | 12d8a73d4aa203001aa8fb4fa93c6dd150f8394b105a862cb5e608013d1e4459cee02f3850d82e63cf401e8e4f6dadd41563a7a8caec084676f2f44fa04f8933 |
memory/1504-661-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-662-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-663-0x00000000000E0000-0x0000000000104000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 081bf738abe7efb6687ff2a64fd44cc5 |
| SHA1 | 9418a60156038f22c57734c5105fad3aa530e3fc |
| SHA256 | 69b53a80286ddc02c3ce2191abe63388de7732fc42886b03caa77bab17e62e65 |
| SHA512 | 552dba8f8069274dae2cd6c6c2a6821ef7076c62d885bcdae6d91294211c6a07fd396a2599acb9bbd5e8c83a6acc23d465678218f3f27d37bc146b5b76ab6774 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
memory/1504-1741-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-1768-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-1769-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-1770-0x00000000000E0000-0x0000000000104000-memory.dmp
memory/1504-1771-0x00000000000E0000-0x0000000000104000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-05-10 17:49
Reported
2023-05-10 18:00
Platform
win10-20230220-en
Max time kernel
603s
Max time network
543s
Command Line
Signatures
Qakbot/Qbot
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe Dropsically.Spinose print
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe Dropsically.Spinose print
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\ping.exe
ping -n 3 yahoo.com
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\whoami.exe
whoami /all
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 20.42.65.85:443 | tcp | |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.197.77.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | broadcom.com | udp |
| US | 50.112.202.115:443 | broadcom.com | tcp |
| US | 8.8.8.8:53 | www.broadcom.com | udp |
| US | 104.18.32.150:443 | www.broadcom.com | tcp |
| US | 8.8.8.8:53 | 115.202.112.50.in-addr.arpa | udp |
| US | 67.10.9.125:995 | 67.10.9.125 | tcp |
| US | 8.8.8.8:53 | 150.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.9.10.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.38.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| US | 152.199.38.90:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 67.10.9.125:995 | 67.10.9.125 | tcp |
| US | 8.8.8.8:53 | 254.1.248.8.in-addr.arpa | udp |
| US | 67.10.9.125:995 | 67.10.9.125 | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 67.10.9.125:995 | 67.10.9.125 | tcp |
Files
memory/4252-119-0x0000000002A60000-0x0000000002A63000-memory.dmp
memory/4252-120-0x0000000010000000-0x0000000010024000-memory.dmp
memory/4292-125-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-126-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-127-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-130-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-131-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-132-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-133-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-135-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-137-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-138-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-140-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-146-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-153-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-159-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-160-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-161-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-176-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-179-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-180-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-181-0x0000000000710000-0x0000000000734000-memory.dmp
memory/4292-182-0x0000000000710000-0x0000000000734000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-10 17:49
Reported
2023-05-10 18:00
Platform
win7-20230220-en
Max time kernel
403s
Max time network
406s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1580 wrote to memory of 1624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1580 wrote to memory of 1624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1580 wrote to memory of 1624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1580 wrote to memory of 1624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1580 wrote to memory of 1624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1580 wrote to memory of 1624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1580 wrote to memory of 1624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dropsically.dll,#1