ddd5576129b3d68b1a09d0a32990e9c9036b718d8327db5de62f333a4842de9c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06b5d4ecda35e3ffc7fa21d91584c583.dll
Size

237KB
MD5

06b5d4ecda35e3ffc7fa21d91584c583
SHA1

fe9031e46ad0585bcb012e8f18a01f9231550953
SHA256

ddd5576129b3d68b1a09d0a32990e9c9036b718d8327db5de62f333a4842de9c
SHA512

35d735ef13cdd80ab59c5fd01330a5ea5999e701794dd6ecfaac3432bb7ad51fa0e0f372abb2f04bacd10d0f263b525ec9b73e105f08cb69b3083dd659303728
SSDEEP

1536:ojjcfvcIAuacgaHByoVzAHTPxJNCHVRkhAH4VhbLjgEiwW5bMFe4tvGcGnwk9+J:4+kIAi4IzQJNURkZ7bwwkbMzOwk9+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wsyrl = "{c0435168-48cb-9d10-59dc-48cbd9e0435b}"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	rundll32.exe
2212	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jfley.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\jfley.dll	rundll32.exe
File created	C:\Windows\SysWOW64\vrxqk.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c0435168-48cb-9d10-59dc-48cbd9e0435b}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c0435168-48cb-9d10-59dc-48cbd9e0435b}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c0435168-48cb-9d10-59dc-48cbd9e0435b}\InprocServer32\ = "C:\\Windows\\SysWow64\\rntmg.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c0435168-48cb-9d10-59dc-48cbd9e0435b}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c0435168-48cb-9d10-59dc-48cbd9e0435b}	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2212	1712	rundll32.exe	16
PID 1712 wrote to memory of 2212	1712	rundll32.exe	16
PID 1712 wrote to memory of 2212	1712	rundll32.exe	16
PID 1712 wrote to memory of 2212	1712	rundll32.exe	16
PID 1712 wrote to memory of 2212	1712	rundll32.exe	16
PID 1712 wrote to memory of 2212	1712	rundll32.exe	16
PID 1712 wrote to memory of 2212	1712	rundll32.exe	16

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\06b5d4ecda35e3ffc7fa21d91584c583.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\06b5d4ecda35e3ffc7fa21d91584c583.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\jfley.dll

Filesize
175KB

MD5
a011e527671333143b582bb85bb43325

SHA1
887850703a530f23361e6dd45cf1826abcd497af

SHA256
5166b6602789bc970e973daa3fd3d1725d2987cc412367a0f9148d0c0e4fda69

SHA512
fd7305c7dc754f112020091031dc419ca5837a4691ff5432c14a82c38e658a696eff79ff948cbaf504913ee0734cb06f5c11be47dec37e7ed620c88b06c75d77

Download Submit
\Windows\SysWOW64\vrxqk.dll

Filesize
131KB

MD5
ab5dea2e9973cd36711e598d91fa4c30

SHA1
3e7faa8022fcb552ae66b25b935d3954ac6c8472

SHA256
70f616f5c7ad5a64897da8d15664e2a9e67ff0d893ebf2c146d902ef236494a2

SHA512
42450ee8da2237ca5dff6d2a298a53cd654e158f9b30e306f89e3ead2b25d8c8f7497e7de290bd34043df57a821c961dee20cae26e0b453ee448fc32091f1061

Download Submit
memory/2212-6-0x00000000001B0000-0x00000000001F5000-memory.dmp

Filesize
276KB

Download
memory/2212-14-0x00000000761F0000-0x0000000076290000-memory.dmp

Filesize
640KB

Download
memory/2212-13-0x0000000075250000-0x0000000075360000-memory.dmp

Filesize
1.1MB

Download
memory/2212-12-0x0000000075250000-0x0000000075360000-memory.dmp

Filesize
1.1MB

Download
memory/2212-11-0x00000000001B0000-0x00000000001F5000-memory.dmp

Filesize
276KB

Download
memory/2212-0-0x00000000001B0000-0x00000000001F5000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads