Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/12/2023, 10:24

General

  • Target

    972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll

  • Size

    3.5MB

  • MD5

    bcc4727a9d1e2e8c69adffe97bc4f7b6

  • SHA1

    60f2d82eced11c155c907116a96962dd2e14e959

  • SHA256

    972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80

  • SHA512

    34b20dac55d57002b28db055dc632fae680daf3c706500d1dcb0be4a0d80677d52278600c82914e8b53ea02fc39a231039a3ba2c5a6ffa07188c874ca3a199fd

  • SSDEEP

    98304:NIL6ZfTRgRxkgC+DEbQl5zxEtxOm3MN9W8T1U8:6/xl5sImcGe1U8

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:2828
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4436

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\s22g.dll

            Filesize

            3.4MB

            MD5

            b2ee390c0b9947b86ede4deb825710a4

            SHA1

            267ca058a46609439560b4742b26e6b4b7d72a6b

            SHA256

            64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0

            SHA512

            a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b

          • memory/4436-7-0x000001962D340000-0x000001962D350000-memory.dmp

            Filesize

            64KB

          • memory/4436-23-0x000001962D440000-0x000001962D450000-memory.dmp

            Filesize

            64KB

          • memory/4436-39-0x0000019635740000-0x0000019635741000-memory.dmp

            Filesize

            4KB

          • memory/4436-41-0x0000019635770000-0x0000019635771000-memory.dmp

            Filesize

            4KB

          • memory/4436-42-0x0000019635770000-0x0000019635771000-memory.dmp

            Filesize

            4KB

          • memory/4436-43-0x0000019635880000-0x0000019635881000-memory.dmp

            Filesize

            4KB