2421ed9da001b0094341b9fc0fe2d773b6ae572e81b515fc37b7da80b41dd064

Analysis

max time kernel
152s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 15:18

Target

eec01a84b350fd3035f6ba8c361ed4a0_dll32_JC.dll
Size

5.6MB
MD5

eec01a84b350fd3035f6ba8c361ed4a0
SHA1

b0a0607c43b702e202bbd875f306696b29c03920
SHA256

2421ed9da001b0094341b9fc0fe2d773b6ae572e81b515fc37b7da80b41dd064
SHA512

b6a565302dc7558ea122b07905fd3d2e88fc25e8aec5aa85411f169596ee7bdf3feb768f76367d6a9b5529c6587adcbec35b1f7d4c54a7715bd7b12c3b4b41a5
SSDEEP

98304:leTVTHZdd14Usm0688rbp3ZhJtsyowqBS5zFDFLOAkGkzdnEVomFHKnP51ayy/8j:4BTHZv1Um0q3ZhxaBS5zZFLOyomFHKnT

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2804	3C29.tmp

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	3C29.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	3C29.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	3C29.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	3C29.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	3C29.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4788	4420	rundll32.exe	83
PID 4420 wrote to memory of 4788	4420	rundll32.exe	83
PID 4420 wrote to memory of 4788	4420	rundll32.exe	83
PID 4788 wrote to memory of 2804	4788	rundll32.exe	86
PID 4788 wrote to memory of 2804	4788	rundll32.exe	86
PID 4788 wrote to memory of 2804	4788	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eec01a84b350fd3035f6ba8c361ed4a0_dll32_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\eec01a84b350fd3035f6ba8c361ed4a0_dll32_JC.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\3C29.tmp
    C:\Users\Admin\AppData\Local\Temp\3C29.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2804

C:\Users\Admin\AppData\Local\Temp\3C29.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C29.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/4788-0-0x0000000002900000-0x00000000029C5000-memory.dmp

Filesize
788KB

Download
memory/4788-1-0x0000000002900000-0x00000000029C5000-memory.dmp

Filesize
788KB

Download