1e2becaa004477dcd1e0bdc580af4f58e73909f3918d4cf05affc2702815e5f9

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:32

Target

NEAS.978d49c279c6e775e3bbbb7329da8080.dll
Size

30KB
MD5

978d49c279c6e775e3bbbb7329da8080
SHA1

78bbf4c9118f64b180841ee16a17656841000bf4
SHA256

1e2becaa004477dcd1e0bdc580af4f58e73909f3918d4cf05affc2702815e5f9
SHA512

a0953d8713cae37e023e5efda772c2655c6664e4a312283c7c422b4d4d53c99c1715a6703d60e74c10180ff7b86b8489e5a25e88ce49a656feda3bc0d521d1de
SSDEEP

768:nOet8T6LpUg05oErzWQbxOzZ367/c2DatPFoFSwCMaKU+L:nht8T2pUXz7bQO2ty1CMxlL

Score

5^/10

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\tw32.dll	rundll32.exe
File opened for modification	C:\Windows\tw32.dll	rundll32.exe
File opened for modification	C:\Windows\lua.wkl	rundll32.exe
File opened for modification	C:\Windows\lua.wkl	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "NEAS.978d49c279c6e775e3bbbb7329da8080.dll,1299695241,-2036409223,-352895392"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2868	2436	rundll32.exe	28
PID 2436 wrote to memory of 2868	2436	rundll32.exe	28
PID 2436 wrote to memory of 2868	2436	rundll32.exe	28
PID 2436 wrote to memory of 2868	2436	rundll32.exe	28
PID 2436 wrote to memory of 2868	2436	rundll32.exe	28
PID 2436 wrote to memory of 2868	2436	rundll32.exe	28
PID 2436 wrote to memory of 2868	2436	rundll32.exe	28
PID 2868 wrote to memory of 1220	2868	rundll32.exe	29
PID 2868 wrote to memory of 1220	2868	rundll32.exe	29
PID 2868 wrote to memory of 1220	2868	rundll32.exe	29
PID 2868 wrote to memory of 1220	2868	rundll32.exe	29
PID 2868 wrote to memory of 1220	2868	rundll32.exe	29
PID 2868 wrote to memory of 1220	2868	rundll32.exe	29
PID 2868 wrote to memory of 1220	2868	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.978d49c279c6e775e3bbbb7329da8080.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.978d49c279c6e775e3bbbb7329da8080.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\tw32.dll",_RunAs@16
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1220

C:\Windows\tw32.dll

Filesize
30KB

MD5
978d49c279c6e775e3bbbb7329da8080

SHA1
78bbf4c9118f64b180841ee16a17656841000bf4

SHA256
1e2becaa004477dcd1e0bdc580af4f58e73909f3918d4cf05affc2702815e5f9

SHA512
a0953d8713cae37e023e5efda772c2655c6664e4a312283c7c422b4d4d53c99c1715a6703d60e74c10180ff7b86b8489e5a25e88ce49a656feda3bc0d521d1de

Download Submit
memory/1220-6-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/1220-7-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/1220-8-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/1220-9-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/1220-11-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/2868-0-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/2868-1-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/2868-2-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/2868-10-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download