7d408e011bb7f8096974b1a7564f25a3185dbb9a4430592cdb309eea06ec5eaa

Analysis

max time kernel
160s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d408e011bb7f8096974b1a7564f25a3185dbb9a4430592cdb309eea06ec5eaa.dll
Size

2.6MB
MD5

c0353df9dda7fd4a00369b16394c4311
SHA1

94042cc28bdebebdb708d6b5f688b87c49814f12
SHA256

7d408e011bb7f8096974b1a7564f25a3185dbb9a4430592cdb309eea06ec5eaa
SHA512

77462229bcd174c448ce2e1a9985772ecb87bb10aa01aff43303fa6d6a0ff9701a8d2308e947e8b62ad87f83e043dd2d6bdb7de7f3befe5aac63170fbb1dd0c8
SSDEEP

49152:ZsxSZ3Qg0y57xKV4qIAoaoXqlDIWyN+T14so9Nt4ic/qXNXQxeaOPLP:ZsCxUI9XqlMVpc/q5QoRLP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3340	C062.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll	C062.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	C062.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL	C062.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll	C062.tmp
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140u.dll	C062.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL	C062.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ONNXRuntime-0.5.X.dll	C062.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL	C062.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	rundll32.exe
4884	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4884	3636	rundll32.exe	86
PID 3636 wrote to memory of 4884	3636	rundll32.exe	86
PID 3636 wrote to memory of 4884	3636	rundll32.exe	86
PID 4884 wrote to memory of 3340	4884	rundll32.exe	89
PID 4884 wrote to memory of 3340	4884	rundll32.exe	89
PID 4884 wrote to memory of 3340	4884	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d408e011bb7f8096974b1a7564f25a3185dbb9a4430592cdb309eea06ec5eaa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d408e011bb7f8096974b1a7564f25a3185dbb9a4430592cdb309eea06ec5eaa.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\C062.tmp
    C:\Users\Admin\AppData\Local\Temp\C062.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C062.tmp

Filesize
144KB

MD5
07a91ef915671b2487f91773f9bb6700

SHA1
acf15963c8d854e90c8c56d8511e296ed279b2f3

SHA256
dfec79bd0c4545f7175f73550803b275ac63c4991bd3107005a5a4c19327798b

SHA512
68f7307b378ee8223d51233d0805fa52761950c0fabc0bec9e94cf80b7b8894b080c20256a4a5ac75e8f1e2ee169cffe85590de6748f1eaceb12fae76917e3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C062.tmp

Filesize
64KB

MD5
f46f842765ca73ba39616a77f0206606

SHA1
64a97fc2cf6b8061a9420a87c0f8a988fc8b9d32

SHA256
4018d672b148c0f57a33a6282949241d56e0e416d60d38c78cb17381765e29ca

SHA512
f77d97a192626f754bc8c902cec6df841dc0775338bd8bc49b8c4a863e56fc9208981708e39397fdc83f62efa3586101ad1c5c4ec3cd94a1d117170c20588b32

Download Submit
memory/4884-0-0x0000000002370000-0x0000000002437000-memory.dmp

Filesize
796KB

Download
memory/4884-1-0x0000000002370000-0x0000000002437000-memory.dmp

Filesize
796KB

Download