Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2023 00:35
Behavioral task
behavioral1
Sample
e509525c561e9e4bea7029b1077a265a4ce277e699f534bc5eb6c4d24a626e63.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e509525c561e9e4bea7029b1077a265a4ce277e699f534bc5eb6c4d24a626e63.dll
Resource
win10v2004-20230220-en
General
-
Target
e509525c561e9e4bea7029b1077a265a4ce277e699f534bc5eb6c4d24a626e63.dll
-
Size
447KB
-
MD5
1eae2c76ca9006edd45d83c278de0f07
-
SHA1
846dd63256f0c03648b432a70f14cc1ae050e3f8
-
SHA256
e509525c561e9e4bea7029b1077a265a4ce277e699f534bc5eb6c4d24a626e63
-
SHA512
1de61f5e7a065c9676a7a4fe3e62a9f7051b71dce10c7fc21e58716057137196bfeb1bf5ff82a8845ab1a9ad96b744a4b44142c6c0638985fa88234336f2e993
-
SSDEEP
6144:toCTITIQJR7BoY5s+jmEuyN5nB3w0c6z9NFNGGcmk3xsKXgzOvygbddklP4Kzu4J:3IsoRqOluY3vbtTThSgobLk14yu45F
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\HELPDIR rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 1040 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1952 wrote to memory of 1040 1952 rundll32.exe rundll32.exe PID 1952 wrote to memory of 1040 1952 rundll32.exe rundll32.exe PID 1952 wrote to memory of 1040 1952 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e509525c561e9e4bea7029b1077a265a4ce277e699f534bc5eb6c4d24a626e63.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e509525c561e9e4bea7029b1077a265a4ce277e699f534bc5eb6c4d24a626e63.dll,#12⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1040