cfa61a9b2d8736223a5e0395f4e5d6c85f6a3649f87dacbc6ecc97084c3b7c26

Analysis

max time kernel
201s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 21:43

Target

cfa61a9b2d8736223a5e0395f4e5d6c85f6a3649f87dacbc6ecc97084c3b7c26.dll
Size

2.6MB
MD5

4bb37313bbaf7193f01ba8ce976c6bcc
SHA1

3d324520f785f7346b17810f0ecc5f044276c036
SHA256

cfa61a9b2d8736223a5e0395f4e5d6c85f6a3649f87dacbc6ecc97084c3b7c26
SHA512

7aa6516c28b9b592e1204ba2524f4d45ff3e0ca1223f902efc5f85c3f35eb5873acd3d56ca426eb1e9723a4d3a45264581739035c7ed4591ccc8a89fd7127044
SSDEEP

49152:e3iIpEdky9RCfr49CD+/mcH4fcdvBC5pXhEQTZ1lsc47v1v/6xgtPBD7I2r8o:ij6Cfsz/mcXBBoe1n6xgHD7Fr

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
4384	47EC.tmp

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	47EC.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	47EC.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	47EC.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	47EC.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3116	rundll32.exe
3116	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3116	1616	rundll32.exe	88
PID 1616 wrote to memory of 3116	1616	rundll32.exe	88
PID 1616 wrote to memory of 3116	1616	rundll32.exe	88
PID 3116 wrote to memory of 4384	3116	rundll32.exe	89
PID 3116 wrote to memory of 4384	3116	rundll32.exe	89
PID 3116 wrote to memory of 4384	3116	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cfa61a9b2d8736223a5e0395f4e5d6c85f6a3649f87dacbc6ecc97084c3b7c26.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cfa61a9b2d8736223a5e0395f4e5d6c85f6a3649f87dacbc6ecc97084c3b7c26.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\47EC.tmp
    C:\Users\Admin\AppData\Local\Temp\47EC.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4384

C:\Users\Admin\AppData\Local\Temp\47EC.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\47EC.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/3116-0-0x0000000002DD0000-0x0000000002E98000-memory.dmp

Filesize
800KB

Download
memory/3116-1-0x0000000002DD0000-0x0000000002E98000-memory.dmp

Filesize
800KB

Download