815e971458eb6208609852d82821738f8eb8092c063e64c1e2d4424c484c3b02

Analysis

max time kernel
138s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 21:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

815e971458eb6208609852d82821738f8eb8092c063e64c1e2d4424c484c3b02.dll
Size

980KB
MD5

78d72db4cd2fcb1ccbcd0d56c073ecd6
SHA1

de24d75dddc49da51df2152c270e047aee7920db
SHA256

815e971458eb6208609852d82821738f8eb8092c063e64c1e2d4424c484c3b02
SHA512

29e567398266ab4976b600ec5d3afdcef0a14c3d83563b5fb2e47cad65f70097ed062fda5b07c99ee526181a5678c4b6d1441f09d22d38b69c215d9f846be75f
SSDEEP

24576:FYba1BY0nAYGEBIPX2faq6Y0n1YFF9kf/+EBqAvHrVHepuy1hKspUu5t:I4KYbBIPGfaq6Y0n1iF9kfGEBqAvHrVW

Score

8^/10

evasion

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	432	rundll32.exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3736	sc.exe
4464	sc.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
432	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 432	3852	rundll32.exe	46
PID 3852 wrote to memory of 432	3852	rundll32.exe	46
PID 3852 wrote to memory of 432	3852	rundll32.exe	46
PID 432 wrote to memory of 3060	432	rundll32.exe	95
PID 432 wrote to memory of 3060	432	rundll32.exe	95
PID 432 wrote to memory of 3060	432	rundll32.exe	95
PID 3060 wrote to memory of 3736	3060	CMD.exe	97
PID 3060 wrote to memory of 3736	3060	CMD.exe	97
PID 3060 wrote to memory of 3736	3060	CMD.exe	97
PID 432 wrote to memory of 920	432	rundll32.exe	98
PID 432 wrote to memory of 920	432	rundll32.exe	98
PID 432 wrote to memory of 920	432	rundll32.exe	98
PID 920 wrote to memory of 4464	920	CMD.exe	100
PID 920 wrote to memory of 4464	920	CMD.exe	100
PID 920 wrote to memory of 4464	920	CMD.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\815e971458eb6208609852d82821738f8eb8092c063e64c1e2d4424c484c3b02.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\815e971458eb6208609852d82821738f8eb8092c063e64c1e2d4424c484c3b02.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C SC STOP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\sc.exe
      SC STOP
      4⤵
      Launches sc.exe
      PID:3736
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C SC DELETE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\sc.exe
      SC DELETE
      4⤵
      Launches sc.exe
      PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-0-0x0000000010000000-0x000000001011B000-memory.dmp

Filesize
1.1MB

Download
memory/432-7-0x0000000010000000-0x000000001011B000-memory.dmp

Filesize
1.1MB

Download