Analysis
-
max time kernel
122s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12/11/2023, 01:46
Behavioral task
behavioral1
Sample
6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll
Resource
win7-20231023-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll
Resource
win10v2004-20231023-en
5 signatures
150 seconds
General
-
Target
6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll
-
Size
8.1MB
-
MD5
7a34b0a71978839c0f1b67ddecce33e1
-
SHA1
efe3b29f5c015993a46ea3aac3e50c377e2c2e0a
-
SHA256
6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5
-
SHA512
e5717938edee821b80c02f254d36bd701358d8ba3738815ffdd5e4d02cf5c1171b8f60d43707343aec4d2ed5737a9783bea69e4cda31ec1d76772ead3ea190e1
-
SSDEEP
196608:PLejSGJHFn+3Yh8gZRZuuwRx5n6eRBjlH8G0xeOO0e8YP:yeGJMSZu9Rx56eRBZ8G2RO0X
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1720 rundll32.exe 2 1720 rundll32.exe -
resource yara_rule behavioral1/memory/1720-3-0x0000000010000000-0x0000000010F91000-memory.dmp vmprotect behavioral1/memory/1720-7-0x0000000010000000-0x0000000010F91000-memory.dmp vmprotect behavioral1/memory/1720-38-0x0000000010000000-0x0000000010F91000-memory.dmp vmprotect -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1720 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2952 wrote to memory of 1720 2952 rundll32.exe 28 PID 2952 wrote to memory of 1720 2952 rundll32.exe 28 PID 2952 wrote to memory of 1720 2952 rundll32.exe 28 PID 2952 wrote to memory of 1720 2952 rundll32.exe 28 PID 2952 wrote to memory of 1720 2952 rundll32.exe 28 PID 2952 wrote to memory of 1720 2952 rundll32.exe 28 PID 2952 wrote to memory of 1720 2952 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6676daa5ac462be5ab9db5b70a82e2fc6583b9ec2eaad6bc176ddb61ef08c5e5.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1720
-