990a4cd6dd9575cbd2122f560ff68420c1c9dbfde3c9d6a5181b0f54a7e497cd

Analysis

max time kernel
122s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2023 10:44

Target

hacintor.dll
Size

51KB
MD5

bf50249bc945da25c2f364c216a759e0
SHA1

7df0d15ed36707f2b4979646447c63fd932f4cb1
SHA256

990a4cd6dd9575cbd2122f560ff68420c1c9dbfde3c9d6a5181b0f54a7e497cd
SHA512

6dada5295c135f0446409c4a8acbd9bbae316b38d03ba9c6b5accc348b3e62951f63ec059e2dd40cce3f0d0fbcdd1da63e680671f7664a3b1d43088e911ace49
SSDEEP

384:6AYci7KqOESXvZioqMWFDNs3l89fCncqn5hGb1RDvqv3zUvTJcYn17:6AYF1CvZioE289wNy1RDyD8P17

Score

8^/10

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	3260	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3260	3228	rundll32.exe	83
PID 3228 wrote to memory of 3260	3228	rundll32.exe	83
PID 3228 wrote to memory of 3260	3228	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\hacintor.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\hacintor.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:3260