Analysis

  • max time kernel
    1375s
  • max time network
    1169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2023, 10:38

General

  • Target

    DLL/RollMQTT.dll

  • Size

    60KB

  • MD5

    dec05b850068b39bad89d285b2d9ffa5

  • SHA1

    795dfbf74d955dc22026383acf12e97fe5c24c1d

  • SHA256

    e5beab2288ae60d8e7ce7950ab8295a311301db68277a8b547fc03059d10ba18

  • SHA512

    14ecda60cc0665ff4d54fc09b41847783e1e4134f7293c4f6f6f05a1eee92e1404ca429b5192f2828539a8142579c169267782d22e83ae18612c0d103cce4ba2

  • SSDEEP

    1536:vDUnpFoDZWgLk/87dqy9u2hqTpLXonjN:vApf0Yy9nhqTpLY

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\DLL\RollMQTT.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\DLL\RollMQTT.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of AdjustPrivilegeToken
      PID:972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/972-0-0x0000000000C90000-0x0000000000CA0000-memory.dmp

    Filesize

    64KB

  • memory/972-1-0x0000000000C60000-0x0000000000C78000-memory.dmp

    Filesize

    96KB

  • memory/972-2-0x0000000075360000-0x0000000075378000-memory.dmp

    Filesize

    96KB

  • memory/972-3-0x0000000074A20000-0x00000000751D0000-memory.dmp

    Filesize

    7.7MB

  • memory/972-5-0x0000000074A20000-0x00000000751D0000-memory.dmp

    Filesize

    7.7MB