aa92f65def527de28f2f6e956e4b4849b1e5e441919df86139e96221101a828b

Analysis

max time kernel
154s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 05:23

Target

aa92f65def527de28f2f6e956e4b4849b1e5e441919df86139e96221101a828b.dll
Size

180KB
MD5

019231ec771e7404a8df6aacc002fbea
SHA1

a6ff0f4d8e8174e69b2e737f2908836f520e0efc
SHA256

aa92f65def527de28f2f6e956e4b4849b1e5e441919df86139e96221101a828b
SHA512

075e3afd8213833a163d7ab6e46286deeb9b71b1dd4e857db181591438485e20e7b625cae7bb200e9c34d208aebe2458eaad32570fee3bb1fb69d7c64629bb75
SSDEEP

3072:RblTMtIkyV+gXwabnWpXje3htTBfdMFw67+:RbmOk5+wCngXyRtTB1+L+

Score

8^/10

persistence

Blocklisted process makes network request 1 IoCs

flow	pid	Process
30	1304	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Windows\\SysWOW64\\rundll32.exe"	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 1304	4488	rundll32.exe	86
PID 4488 wrote to memory of 1304	4488	rundll32.exe	86
PID 4488 wrote to memory of 1304	4488	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa92f65def527de28f2f6e956e4b4849b1e5e441919df86139e96221101a828b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa92f65def527de28f2f6e956e4b4849b1e5e441919df86139e96221101a828b.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1304