ecc34936abb58e91c38fd1417ef4c73edf29f1a2fbf756f8558c38ec5c8a6f2d

Analysis

max time kernel
107s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prnfsdk.dll
Size

561KB
MD5

254cc44ce91502782700f57d8d15708e
SHA1

7c9eb552dbc9c928a4cc1b920a385cccbc72226c
SHA256

ecc34936abb58e91c38fd1417ef4c73edf29f1a2fbf756f8558c38ec5c8a6f2d
SHA512

fa821f70d72f018c418fdef50c63d2260f844951050867172cc131230b4e8559a46d752aaf25e6f6c6dada23f38ce50b8413b52c9941a836d69baa2e4fd3f50b
SSDEEP

12288:8nD1Gua++lefMAqzn9gX/Fq8WB7C5gnSsJo+IhXEm/:ID1xa++l2C92/FLgnzRIhXEY

Score

8^/10

persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\netsvc_f7b5e795\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\prnfsdk.dll"	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3784-133-0x00007FFF0F7E0000-0x00007FFF0F928000-memory.dmp	upx
behavioral2/memory/3784-135-0x00007FFF0F7E0000-0x00007FFF0F928000-memory.dmp	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	35.229.244.54
Destination IP	35.229.244.54

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3784	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\prnfsdk.dll,#1
1⤵
- Sets DLL path for service in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3784-133-0x00007FFF0F7E0000-0x00007FFF0F928000-memory.dmp

Filesize
1.3MB

Download
memory/3784-135-0x00007FFF0F7E0000-0x00007FFF0F928000-memory.dmp

Filesize
1.3MB

Download