Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    08/12/2023, 10:24

General

  • Target

    972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll

  • Size

    3.5MB

  • MD5

    bcc4727a9d1e2e8c69adffe97bc4f7b6

  • SHA1

    60f2d82eced11c155c907116a96962dd2e14e959

  • SHA256

    972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80

  • SHA512

    34b20dac55d57002b28db055dc632fae680daf3c706500d1dcb0be4a0d80677d52278600c82914e8b53ea02fc39a231039a3ba2c5a6ffa07188c874ca3a199fd

  • SSDEEP

    98304:NIL6ZfTRgRxkgC+DEbQl5zxEtxOm3MN9W8T1U8:6/xl5sImcGe1U8

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1700
  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:480

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\SysWOW64\s1l4.dll

          Filesize

          3.4MB

          MD5

          b2ee390c0b9947b86ede4deb825710a4

          SHA1

          267ca058a46609439560b4742b26e6b4b7d72a6b

          SHA256

          64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0

          SHA512

          a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b

        • memory/480-4-0x0000000000050000-0x0000000000076000-memory.dmp

          Filesize

          152KB

        • memory/480-6-0x0000000000050000-0x0000000000076000-memory.dmp

          Filesize

          152KB

        • memory/480-7-0x0000000000D30000-0x0000000000DB4000-memory.dmp

          Filesize

          528KB

        • memory/480-10-0x0000000000D30000-0x0000000000DB4000-memory.dmp

          Filesize

          528KB

        • memory/480-14-0x0000000000D30000-0x0000000000DB4000-memory.dmp

          Filesize

          528KB

        • memory/480-16-0x00000000FF310000-0x00000000FF320000-memory.dmp

          Filesize

          64KB

        • memory/480-18-0x0000000000D30000-0x0000000000DB4000-memory.dmp

          Filesize

          528KB

        • memory/480-15-0x00000000FF310000-0x00000000FF320000-memory.dmp

          Filesize

          64KB

        • memory/480-9-0x0000000000D30000-0x0000000000DB4000-memory.dmp

          Filesize

          528KB