Malware Analysis Report

2024-11-30 22:52

Sample ID 230511-tj2knshg64
Target 23lk42joia.dll
SHA256 a770f54e2275c283b919ffa78c3679e331450ca0c40d0e482ffdf2feb361cf68
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

a770f54e2275c283b919ffa78c3679e331450ca0c40d0e482ffdf2feb361cf68

Threat Level: Likely benign

The file 23lk42joia.dll was found to be: Likely benign.

Malicious Activity Summary


Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-05-11 16:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-11 16:06

Reported

2023-05-11 16:09

Platform

win7-20230220-en

Max time kernel

8s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23lk42joia.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23lk42joia.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23lk42joia.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-11 16:06

Reported

2023-05-11 16:09

Platform

win10v2004-20230220-en

Max time kernel

183s

Max time network

194s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23lk42joia.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 4452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 4452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 4452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23lk42joia.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23lk42joia.dll,#1

Network

Country Destination Domain Proto
IE 20.123.104.105:443 tcp
US 40.125.122.151:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 6.d.a.8.b.e.f.b.0.0.0.0.0.0.0.0.4.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 20.42.65.85:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
IE 40.126.31.69:443 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 40.125.122.176:443 tcp
IE 20.190.159.68:443 tcp
US 40.125.122.176:443 tcp
IE 20.190.159.75:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 40.125.122.176:443 tcp

Files

N/A