3d736b2dc9e234fb7b7ce8d74589c8913e886752e2a6d3457a4b0faef19c250b

Analysis

max time kernel
205s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update32u.dll
Size

5.9MB
MD5

bc1ac26172ffac13a445923dc87eecc9
SHA1

7ea28a389072a362fd59b9fd719b6934cb6fc6a8
SHA256

3d736b2dc9e234fb7b7ce8d74589c8913e886752e2a6d3457a4b0faef19c250b
SHA512

185b82a252475158c85d9312dcaa46ae117f28014534f5359120f2dacbdd0b558c09b99266f8c69e2e006711dab1811fc1f91ec84d60d15693eb63883ac18ca3
SSDEEP

49152:O/hwTvvdeSCk0VGDgNlvuN94+tlE0aH1DgUYztPVTr+EfcdXM35EZfaimTET+az:Aa70VfrMfr8H1DgU+7EVLmTc+az

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
60	548	rundll32.exe
66	548	rundll32.exe
68	548	rundll32.exe
69	548	rundll32.exe
70	548	rundll32.exe
71	548	rundll32.exe
72	548	rundll32.exe
73	548	rundll32.exe
75	548	rundll32.exe
76	548	rundll32.exe
77	548	rundll32.exe
78	548	rundll32.exe
79	548	rundll32.exe
80	548	rundll32.exe
81	548	rundll32.exe
82	548	rundll32.exe
83	548	rundll32.exe
84	548	rundll32.exe
85	548	rundll32.exe
86	548	rundll32.exe
87	548	rundll32.exe
88	548	rundll32.exe
89	548	rundll32.exe
90	548	rundll32.exe
91	548	rundll32.exe
92	548	rundll32.exe
93	548	rundll32.exe
94	548	rundll32.exe
95	548	rundll32.exe
96	548	rundll32.exe
97	548	rundll32.exe
98	548	rundll32.exe
99	548	rundll32.exe
100	548	rundll32.exe
101	548	rundll32.exe
102	548	rundll32.exe
103	548	rundll32.exe
104	548	rundll32.exe
105	548	rundll32.exe
106	548	rundll32.exe
107	548	rundll32.exe
108	548	rundll32.exe
109	548	rundll32.exe
110	548	rundll32.exe
111	548	rundll32.exe
112	548	rundll32.exe
113	548	rundll32.exe
114	548	rundll32.exe
115	548	rundll32.exe
116	548	rundll32.exe
117	548	rundll32.exe
118	548	rundll32.exe
121	548	rundll32.exe
122	548	rundll32.exe
124	548	rundll32.exe
125	548	rundll32.exe
126	548	rundll32.exe
128	548	rundll32.exe
127	548	rundll32.exe
129	548	rundll32.exe
130	548	rundll32.exe
131	548	rundll32.exe
132	548	rundll32.exe
133	548	rundll32.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2156	powershell.exe
2156	powershell.exe
3932	powershell.exe
3932	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2156	548	rundll32.exe	89
PID 548 wrote to memory of 2156	548	rundll32.exe	89
PID 548 wrote to memory of 3932	548	rundll32.exe	92
PID 548 wrote to memory of 3932	548	rundll32.exe	92
PID 3932 wrote to memory of 3144	3932	powershell.exe	95
PID 3932 wrote to memory of 3144	3932	powershell.exe	95

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\update32u.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "get-wmiobject win32_computersystem | select-object -expandproperty domain"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "& nslookup myip.opendns.com resolver1.opendns.com"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\nslookup.exe
    "C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20810d165c316378abc650cfa1e8d26a

SHA1
1e93a79cbb16e8836bc669ecbff8bd614b8fd05b

SHA256
06131bf4d4fe55b1f4bbc16d84a994b1b0891d4459bc1c5b05a8cec3725ebb27

SHA512
58fc8a24e40ab9051739ee47d99d69a24bf0ec1755a507b13fd76df47395c97a140aa56f1f4de3a0fc848216fc6f32c7e191aa862848c65226eba5c3697aa098

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3ttuei0.rwc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/548-4-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-47-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-44-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-2-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-41-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-45-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-46-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-3-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-48-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-1-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-50-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-0-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-49-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/548-26-0x0000000056FC0000-0x00000000575FE000-memory.dmp

Filesize
6.2MB

Download
memory/2156-5-0x0000024B1C6A0000-0x0000024B1C6C2000-memory.dmp

Filesize
136KB

Download
memory/2156-21-0x00007FFBE3D20000-0x00007FFBE47E1000-memory.dmp

Filesize
10.8MB

Download
memory/2156-18-0x0000024B34CF0000-0x0000024B34D00000-memory.dmp

Filesize
64KB

Download
memory/2156-17-0x0000024B34CF0000-0x0000024B34D00000-memory.dmp

Filesize
64KB

Download
memory/2156-16-0x0000024B34CF0000-0x0000024B34D00000-memory.dmp

Filesize
64KB

Download
memory/2156-15-0x00007FFBE3D20000-0x00007FFBE47E1000-memory.dmp

Filesize
10.8MB

Download
memory/3932-24-0x000002291CD00000-0x000002291CD10000-memory.dmp

Filesize
64KB

Download
memory/3932-43-0x00007FFBE3B60000-0x00007FFBE4621000-memory.dmp

Filesize
10.8MB

Download
memory/3932-40-0x000002291CD00000-0x000002291CD10000-memory.dmp

Filesize
64KB

Download
memory/3932-39-0x000002291CD00000-0x000002291CD10000-memory.dmp

Filesize
64KB

Download
memory/3932-38-0x00007FFBE3B60000-0x00007FFBE4621000-memory.dmp

Filesize
10.8MB

Download
memory/3932-37-0x000002291CD00000-0x000002291CD10000-memory.dmp

Filesize
64KB

Download
memory/3932-25-0x000002291CD00000-0x000002291CD10000-memory.dmp

Filesize
64KB

Download
memory/3932-23-0x00007FFBE3B60000-0x00007FFBE4621000-memory.dmp

Filesize
10.8MB

Download