b7d67a09e35031ce5260b4ee614ed83c18dc57c7625178dc6e689e0aa4f65f6d

General

Target

b7d67a09e35031ce5260b4ee614ed83c18dc57c7625178dc6e689e0aa4f65f6d.dll
Size

908KB
MD5

d663ebb9947ea39d2004a7fa6e8d79ca
SHA1

1fbdbe294fdb4aaa56ec93716abb2060195723c4
SHA256

b7d67a09e35031ce5260b4ee614ed83c18dc57c7625178dc6e689e0aa4f65f6d
SHA512

4b25c84958b67e5fe235881b534f5ea6d7017d1b53572ff734f5eeac4fb09bbac77c16960165f9225d95ee64e1e222ec53d665fa7295751d75a7b8c0522b1c16
SSDEEP

24576:GHcgLiNmJ7FWqxxixsJrJ5WRJlqvHbNAx:Cc0igBsIrJ5SqWx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
5	2936	rundll32.exe
15	2936	rundll32.exe
22	2936	rundll32.exe
24	2936	rundll32.exe
26	2936	rundll32.exe
29	2936	rundll32.exe
38	2936	rundll32.exe
39	2936	rundll32.exe
40	2936	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5100	2936	WerFault.exe	81

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
412	WINWORD.EXE
412	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE
412	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 412	2936	rundll32.exe	82
PID 2936 wrote to memory of 412	2936	rundll32.exe	82

cURL User-Agent 9 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	26	curl/8.0.1-DEV
HTTP User-Agent header	29	curl/8.0.1-DEV
HTTP User-Agent header	39	curl/8.0.1-DEV
HTTP User-Agent header	24	curl/8.0.1-DEV
HTTP User-Agent header	38	curl/8.0.1-DEV
HTTP User-Agent header	40	curl/8.0.1-DEV
HTTP User-Agent header	5	curl/8.0.1-DEV
HTTP User-Agent header	15	curl/8.0.1-DEV
HTTP User-Agent header	22	curl/8.0.1-DEV

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7d67a09e35031ce5260b4ee614ed83c18dc57c7625178dc6e689e0aa4f65f6d.dll,#1
1⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\downloads\关于2023年3季度个人通信费报销工作的通知.docx" /o ""
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:412
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2936 -s 1120
  2⤵
  - Program crash
  PID:5100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2936 -ip 2936
1⤵
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\关于2023年3季度个人通信费报销工作的通知.docx

Filesize
500B

MD5
604839b85b4f3067dd581dc8227943a6

SHA1
dcd9a131ed39a695742c46c3d89cd5537ea7ddf6

SHA256
fac4ccbd72e7121472d0a5dafdbea65d23ce8ccdb49a3c01c1fa5cf56d02fb31

SHA512
0935c765de15ba48c0cd7555ed3758657848ee6bc5e5011667d7854093cb91ac6ac60a8575288784998aa926bf5614fc83caeed777fb738c5a16138f996a5c7d

Download Submit
C:\Users\Public\downloads\关于2023年3季度个人通信费报销工作的通知.docx

Filesize
500B

MD5
604839b85b4f3067dd581dc8227943a6

SHA1
dcd9a131ed39a695742c46c3d89cd5537ea7ddf6

SHA256
fac4ccbd72e7121472d0a5dafdbea65d23ce8ccdb49a3c01c1fa5cf56d02fb31

SHA512
0935c765de15ba48c0cd7555ed3758657848ee6bc5e5011667d7854093cb91ac6ac60a8575288784998aa926bf5614fc83caeed777fb738c5a16138f996a5c7d

Download Submit
memory/412-152-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-190-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-144-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-143-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-141-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-146-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-147-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-148-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-149-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-145-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-150-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-154-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-142-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-140-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-151-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-155-0x00007FFD0AF10000-0x00007FFD0AF20000-memory.dmp

Filesize
64KB

Download
memory/412-156-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-139-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-162-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-165-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-168-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-167-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download
memory/412-188-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-189-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-153-0x00007FFD0AF10000-0x00007FFD0AF20000-memory.dmp

Filesize
64KB

Download
memory/412-191-0x00007FFD0D0B0000-0x00007FFD0D0C0000-memory.dmp

Filesize
64KB

Download
memory/412-192-0x00007FFD4D030000-0x00007FFD4D225000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing