Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
20-07-2023 01:04
General
-
Target
b3d7005a06021286c84ed7f8293cba966e0137df769e80579df7f3c6a2d3c1f3.dll
-
Size
335KB
-
MD5
a637c909097b250da561b12ae33e7486
-
SHA1
f71cc41357814b5c3b132aaaedd6a24ebbd0c102
-
SHA256
b3d7005a06021286c84ed7f8293cba966e0137df769e80579df7f3c6a2d3c1f3
-
SHA512
a02a4244947a3ca24d65a356b8ae405b4620884d033d29570a411c539f6e55eca0c579ab3b61de9a14e4eaec66417e57974ee7b28bb03e2728c359cef3168ce3
-
SSDEEP
6144:R1VH+po6EJ5IYW6eBveHVK8PNEt1ZJr0HkT7Npvm7sbnTH7Mx:3d4oR+YImEx/gkThp0wnTHYx
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3d7005a06021286c84ed7f8293cba966e0137df769e80579df7f3c6a2d3c1f3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3d7005a06021286c84ed7f8293cba966e0137df769e80579df7f3c6a2d3c1f3.dll,#12⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C nltest /domain_trusts > C:\ProgramData\TMPUSER.DAT3⤵
-
-