54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 09:16

Target

54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b.dll
Size

952KB
MD5

4d8d1c87b2f891c0c3d3b31fc5affc7a
SHA1

25f2740febbd6356125a83b2368cd32e1117c050
SHA256

54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b
SHA512

288c0fed22caa009481b79cdc7750bc2bda951174b9e2727cf2c1c3b5f1af6db9cb0ed53165e4ded106cea822b42ed7fb4edc949c262bc0ba1d72824da965a64
SSDEEP

12288:dBGcUENeWpQGdDi3MQwPZs5u5KMsplPIEubW/1rCUX7VNCoQ:dBGcdM6QGd23DwPZs5qKrpBC27VNCX

Score

5^/10

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\secvbnmcxccvxcxcsdsdsxcxcz103971782186000.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\secvbnmcxccvxcxcsdsdsxcxcz103971782186000.exe	rundll32.exe
File created	C:\Windows\SysWOW64\mecxzcaasxzcxcassascxcxcx23667.exe	rundll32.exe
File created	C:\Windows\SysWOW64\Restart.bat	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2940	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1120	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1120	1224	rundll32.exe	83
PID 1224 wrote to memory of 1120	1224	rundll32.exe	83
PID 1224 wrote to memory of 1120	1224	rundll32.exe	83
PID 1120 wrote to memory of 4312	1120	rundll32.exe	90
PID 1120 wrote to memory of 4312	1120	rundll32.exe	90
PID 1120 wrote to memory of 4312	1120	rundll32.exe	90
PID 4312 wrote to memory of 2940	4312	cmd.exe	92
PID 4312 wrote to memory of 2940	4312	cmd.exe	92
PID 4312 wrote to memory of 2940	4312	cmd.exe	92
PID 4312 wrote to memory of 2660	4312	cmd.exe	93
PID 4312 wrote to memory of 2660	4312	cmd.exe	93
PID 4312 wrote to memory of 2660	4312	cmd.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\54fdc704535a71d1dc5340153ca96f56d2bddd7a2e781bdb368d2abbfe35959b.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\Restart.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2940
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      4⤵
      PID:2660

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\SysWOW64\Restart.bat

Filesize
99B

MD5
8203f62537cc26e47dc61fce77057cea

SHA1
8a8bed2b94ae5c3020e636376a109d4e61b9d264

SHA256
790b487c98b16a7b1596ec5077862d7d1fcfc4a156fb867373dbd795e84b651c

SHA512
6a59f5680dc0c60e8951e48e2c0ede115e5f333e67a1cd5d7d21f897cde1f6ed108f268f1352b96b15220cb7959e1f44786ec74e26bbebdf8dcee21f8eb8a35c

Download Submit