b99a59e59dab61fccf50b54034248b7272d80277c2f05d48c3226c85297be4e6

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2023 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99a59e59dab61fccf50b54034248b7272d80277c2f05d48c3226c85297be4e6.dll
Size

413KB
MD5

d91621d4112a79df2ab5541ef771c363
SHA1

6f76209d52d812d71ae75252a9390547ae211443
SHA256

b99a59e59dab61fccf50b54034248b7272d80277c2f05d48c3226c85297be4e6
SHA512

c3d44ff7f54ce1d166c28dda122d1c9c5e0acc63e4ce506d7b4da148e6ec937694d5ff7e34e1789376eec671ec9484a10f91c26e305d807d36b45975dc5a8093
SSDEEP

3072:Gh+Q287Uss3Wf5eOZyutAwfGB0nEgAabkER9Hrl1WXg8naDx:Gh+Q287UvWBeDspnTbJR9LlL8aN

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 47 IoCs

flow	pid	Process
14	2380	rundll32.exe
38	2380	rundll32.exe
39	2380	rundll32.exe
43	2380	rundll32.exe
47	2380	rundll32.exe
48	2380	rundll32.exe
49	2380	rundll32.exe
50	2380	rundll32.exe
51	2380	rundll32.exe
57	2380	rundll32.exe
62	2380	rundll32.exe
79	2380	rundll32.exe
81	2380	rundll32.exe
82	2380	rundll32.exe
83	2380	rundll32.exe
84	2380	rundll32.exe
85	2380	rundll32.exe
86	2380	rundll32.exe
87	2380	rundll32.exe
95	2380	rundll32.exe
96	2380	rundll32.exe
97	2380	rundll32.exe
98	2380	rundll32.exe
99	2380	rundll32.exe
100	2380	rundll32.exe
101	2380	rundll32.exe
104	2380	rundll32.exe
106	2380	rundll32.exe
107	2380	rundll32.exe
108	2380	rundll32.exe
109	2380	rundll32.exe
110	2380	rundll32.exe
111	2380	rundll32.exe
112	2380	rundll32.exe
113	2380	rundll32.exe
114	2380	rundll32.exe
115	2380	rundll32.exe
116	2380	rundll32.exe
117	2380	rundll32.exe
118	2380	rundll32.exe
119	2380	rundll32.exe
120	2380	rundll32.exe
121	2380	rundll32.exe
122	2380	rundll32.exe
126	2380	rundll32.exe
127	2380	rundll32.exe
128	2380	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³À¶ÆÁÐÞ¸´ = "C:\\Windows\\SysWOW64\\rundll32.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\SysWOW64\\rundll32.exe"	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2380	5040	rundll32.exe	88
PID 5040 wrote to memory of 2380	5040	rundll32.exe	88
PID 5040 wrote to memory of 2380	5040	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b99a59e59dab61fccf50b54034248b7272d80277c2f05d48c3226c85297be4e6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b99a59e59dab61fccf50b54034248b7272d80277c2f05d48c3226c85297be4e6.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2380-0-0x0000000002770000-0x000000000278A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads