cf2cd696a7d2831f88b432f8ba905f8aa56ff0a8c0a63607210d6b3fdae697a1

Analysis

max time kernel
119s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c25a7910489ce286bd26901c7982ef4.exe
Size

64KB
MD5

0c25a7910489ce286bd26901c7982ef4
SHA1

2b974e6246d7fc3e2c24b61eba9ecbcf0099762a
SHA256

cf2cd696a7d2831f88b432f8ba905f8aa56ff0a8c0a63607210d6b3fdae697a1
SHA512

d8521b3154f2d518851e602740eef0cba98e702653e1eabb8c1fc42eb09c49ab6742fdeb45b119e17e438b24e31dfa77949ddd32571dfd9778364a367f63e4d0
SSDEEP

1536:BoquHm0GQ0IeSwxAvEqZoQL9EINBvdsDG:VLSwxAFo49HBvdsDG

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\_rx = "C:\\Windows\\rundll32.exe"	0c25a7910489ce286bd26901c7982ef4.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllz.dll	0c25a7910489ce286bd26901c7982ef4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundll32.exe	0c25a7910489ce286bd26901c7982ef4.exe
File created	C:\Windows\rundll32.exe	0c25a7910489ce286bd26901c7982ef4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
320	0c25a7910489ce286bd26901c7982ef4.exe
320	0c25a7910489ce286bd26901c7982ef4.exe

C:\Users\Admin\AppData\Local\Temp\0c25a7910489ce286bd26901c7982ef4.exe
"C:\Users\Admin\AppData\Local\Temp\0c25a7910489ce286bd26901c7982ef4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dllz.dll

Filesize
34KB

MD5
33633f3987a026a39aa78166d21c6cee

SHA1
0d0eb1908158af8c5a33580eb776dc4b11622a51

SHA256
4462c71d8ff203b5bae31298046918e4bc42d94471452d40282061ac32854aa1

SHA512
5db8a8b35d8948e0cee8fd00d565155a70b43e311f841f01e0c31158a6d5347924b08d6967a0791f46326dde392ec8892dce228eb518940512ccd6848dd03e73

Download Submit
memory/320-5-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/320-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/320-9-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/320-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download