1e2becaa004477dcd1e0bdc580af4f58e73909f3918d4cf05affc2702815e5f9

Analysis

max time kernel
153s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:32

Target

NEAS.978d49c279c6e775e3bbbb7329da8080.dll
Size

30KB
MD5

978d49c279c6e775e3bbbb7329da8080
SHA1

78bbf4c9118f64b180841ee16a17656841000bf4
SHA256

1e2becaa004477dcd1e0bdc580af4f58e73909f3918d4cf05affc2702815e5f9
SHA512

a0953d8713cae37e023e5efda772c2655c6664e4a312283c7c422b4d4d53c99c1715a6703d60e74c10180ff7b86b8489e5a25e88ce49a656feda3bc0d521d1de
SSDEEP

768:nOet8T6LpUg05oErzWQbxOzZ367/c2DatPFoFSwCMaKU+L:nht8T2pUXz7bQO2ty1CMxlL

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
4036	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lua.wkl	rundll32.exe
File created	C:\Windows\tw32.dll	rundll32.exe
File opened for modification	C:\Windows\tw32.dll	rundll32.exe
File opened for modification	C:\Windows\lua.wkl	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "NEAS.978d49c279c6e775e3bbbb7329da8080.dll,1299695241,-2036409223,-352895392"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1212	3292	rundll32.exe	86
PID 3292 wrote to memory of 1212	3292	rundll32.exe	86
PID 3292 wrote to memory of 1212	3292	rundll32.exe	86
PID 1212 wrote to memory of 4036	1212	rundll32.exe	87
PID 1212 wrote to memory of 4036	1212	rundll32.exe	87
PID 1212 wrote to memory of 4036	1212	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.978d49c279c6e775e3bbbb7329da8080.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.978d49c279c6e775e3bbbb7329da8080.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\tw32.dll",_RunAs@16
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4036

C:\Windows\tw32.dll

Filesize
30KB

MD5
978d49c279c6e775e3bbbb7329da8080

SHA1
78bbf4c9118f64b180841ee16a17656841000bf4

SHA256
1e2becaa004477dcd1e0bdc580af4f58e73909f3918d4cf05affc2702815e5f9

SHA512
a0953d8713cae37e023e5efda772c2655c6664e4a312283c7c422b4d4d53c99c1715a6703d60e74c10180ff7b86b8489e5a25e88ce49a656feda3bc0d521d1de

Download Submit
C:\Windows\tw32.dll

Filesize
30KB

MD5
978d49c279c6e775e3bbbb7329da8080

SHA1
78bbf4c9118f64b180841ee16a17656841000bf4

SHA256
1e2becaa004477dcd1e0bdc580af4f58e73909f3918d4cf05affc2702815e5f9

SHA512
a0953d8713cae37e023e5efda772c2655c6664e4a312283c7c422b4d4d53c99c1715a6703d60e74c10180ff7b86b8489e5a25e88ce49a656feda3bc0d521d1de

Download Submit
memory/1212-0-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/1212-5-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download
memory/4036-6-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download