157d546a7d84ff9cad620083cab6e0798008f2d0a3a39c919ebdc0c28b638d53

Analysis

max time kernel
144s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16a1f72dfa9eab85603db66295bc1186.dll
Size

281KB
MD5

16a1f72dfa9eab85603db66295bc1186
SHA1

55f6ec8d68287cb8ea9b3bfd6bc6c9786d03a2ae
SHA256

157d546a7d84ff9cad620083cab6e0798008f2d0a3a39c919ebdc0c28b638d53
SHA512

9afe110ed38d84b0237f22b84ab5ef8bedb6b4564f78a1fccb299039975ea61b40df75b8228b148f7a7f70c47adb4b4729f9c684c47788e354563077a93f70a0
SSDEEP

6144:PBwX+vLpehzMg64adKxTVsQvMRlkM4RD/qzMfUZ:PsvzW43LMRGM4h/qof8

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c0000000122fe-2.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
3040	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000122fe-2.dat	upx
behavioral1/memory/3040-4-0x0000000000720000-0x0000000000753000-memory.dmp	upx
behavioral1/memory/3040-9-0x0000000000720000-0x0000000000753000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	3040	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	rundll32.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 3040	1192	rundll32.exe	28
PID 1192 wrote to memory of 3040	1192	rundll32.exe	28
PID 1192 wrote to memory of 3040	1192	rundll32.exe	28
PID 1192 wrote to memory of 3040	1192	rundll32.exe	28
PID 1192 wrote to memory of 3040	1192	rundll32.exe	28
PID 1192 wrote to memory of 3040	1192	rundll32.exe	28
PID 1192 wrote to memory of 3040	1192	rundll32.exe	28
PID 3040 wrote to memory of 1984	3040	rundll32.exe	29
PID 3040 wrote to memory of 1984	3040	rundll32.exe	29
PID 3040 wrote to memory of 1984	3040	rundll32.exe	29
PID 3040 wrote to memory of 1984	3040	rundll32.exe	29
PID 3040 wrote to memory of 2304	3040	rundll32.exe	31
PID 3040 wrote to memory of 2304	3040	rundll32.exe	31
PID 3040 wrote to memory of 2304	3040	rundll32.exe	31
PID 3040 wrote to memory of 2304	3040	rundll32.exe	31
PID 3040 wrote to memory of 2716	3040	rundll32.exe	32
PID 3040 wrote to memory of 2716	3040	rundll32.exe	32
PID 3040 wrote to memory of 2716	3040	rundll32.exe	32
PID 3040 wrote to memory of 2716	3040	rundll32.exe	32
PID 3040 wrote to memory of 2704	3040	rundll32.exe	34
PID 3040 wrote to memory of 2704	3040	rundll32.exe	34
PID 3040 wrote to memory of 2704	3040	rundll32.exe	34
PID 3040 wrote to memory of 2704	3040	rundll32.exe	34
PID 3040 wrote to memory of 2820	3040	rundll32.exe	33
PID 3040 wrote to memory of 2820	3040	rundll32.exe	33
PID 3040 wrote to memory of 2820	3040	rundll32.exe	33
PID 3040 wrote to memory of 2820	3040	rundll32.exe	33
PID 3040 wrote to memory of 2884	3040	rundll32.exe	36
PID 3040 wrote to memory of 2884	3040	rundll32.exe	36
PID 3040 wrote to memory of 2884	3040	rundll32.exe	36
PID 3040 wrote to memory of 2884	3040	rundll32.exe	36
PID 3040 wrote to memory of 2896	3040	rundll32.exe	37
PID 3040 wrote to memory of 2896	3040	rundll32.exe	37
PID 3040 wrote to memory of 2896	3040	rundll32.exe	37
PID 3040 wrote to memory of 2896	3040	rundll32.exe	37
PID 3040 wrote to memory of 3060	3040	rundll32.exe	40
PID 3040 wrote to memory of 3060	3040	rundll32.exe	40
PID 3040 wrote to memory of 3060	3040	rundll32.exe	40
PID 3040 wrote to memory of 3060	3040	rundll32.exe	40
PID 3040 wrote to memory of 2724	3040	rundll32.exe	38
PID 3040 wrote to memory of 2724	3040	rundll32.exe	38
PID 3040 wrote to memory of 2724	3040	rundll32.exe	38
PID 3040 wrote to memory of 2724	3040	rundll32.exe	38
PID 3040 wrote to memory of 2148	3040	rundll32.exe	47
PID 3040 wrote to memory of 2148	3040	rundll32.exe	47
PID 3040 wrote to memory of 2148	3040	rundll32.exe	47
PID 3040 wrote to memory of 2148	3040	rundll32.exe	47

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16a1f72dfa9eab85603db66295bc1186.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\16a1f72dfa9eab85603db66295bc1186.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 37-ef-fd-85-b9-c9
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 47-e2-64-b0-2a-75
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 56-94-e4-78-8e-dc
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\arp.exe
    arp -s 167.235.102.93 52-92-a3-e0-29-6c
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 29-a7-76-67-b1-8a
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 85-2c-73-c8-09-cf
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 b8-16-e7-e8-a7-06
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 d0-0f-a5-c3-bd-e3
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 408
    3⤵
    - Program crash
    PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
4fcd7574537cebec8e75b4e646996643

SHA1
efa59bb9050fb656b90d5d40c942fb2a304f2a8b

SHA256
8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

SHA512
7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

Download Submit
memory/3040-1-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/3040-4-0x0000000000720000-0x0000000000753000-memory.dmp

Filesize
204KB

Download
memory/3040-5-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/3040-7-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/3040-9-0x0000000000720000-0x0000000000753000-memory.dmp

Filesize
204KB

Download