b86fac745aa657ac667809a87def45a9fe2240370f240682dc8edf9b3549a764

Analysis

max time kernel
146s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 22:08

Target

3f0c37525a85f6c12aa41919da0d3cbd.dll
Size

34KB
MD5

3f0c37525a85f6c12aa41919da0d3cbd
SHA1

20a3abc958ed1eb64a8815546e6ff7294987ffb4
SHA256

b86fac745aa657ac667809a87def45a9fe2240370f240682dc8edf9b3549a764
SHA512

cc4542ec29b709d25f208cde2f363ac5169ba35599203e65d5be793ab202cf2776ce2ccc0db81451fa731e8f0a4efac46ce8d77ed2856997ee58dd24b09ba4df
SSDEEP

768:mKFRlOsV5E68dAERSx+5eRxYi/kdo8d4hTuqoMbZoaHgcnbcuyD7UCsq:maRlOW5Ex95u/oos4hb1orcnouy8Csq

Score

7^/10

upx

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a00000001224d-6.dat	acprotect

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/3036-2-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/3036-1-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/3036-0-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2904-7-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/files/0x000a00000001224d-6.dat	upx
behavioral1/memory/3036-8-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2904-10-0x0000000010000000-0x000000001001E000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\mspime.dll	rundll32.exe
File opened for modification	C:\Windows\mspime.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "3f0c37525a85f6c12aa41919da0d3cbd.dll,1312811747,1525379927,-1814625877"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 3036	2688	rundll32.exe	15
PID 2688 wrote to memory of 3036	2688	rundll32.exe	15
PID 2688 wrote to memory of 3036	2688	rundll32.exe	15
PID 2688 wrote to memory of 3036	2688	rundll32.exe	15
PID 2688 wrote to memory of 3036	2688	rundll32.exe	15
PID 2688 wrote to memory of 3036	2688	rundll32.exe	15
PID 2688 wrote to memory of 3036	2688	rundll32.exe	15
PID 3036 wrote to memory of 2904	3036	rundll32.exe	26
PID 3036 wrote to memory of 2904	3036	rundll32.exe	26
PID 3036 wrote to memory of 2904	3036	rundll32.exe	26
PID 3036 wrote to memory of 2904	3036	rundll32.exe	26
PID 3036 wrote to memory of 2904	3036	rundll32.exe	26
PID 3036 wrote to memory of 2904	3036	rundll32.exe	26
PID 3036 wrote to memory of 2904	3036	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f0c37525a85f6c12aa41919da0d3cbd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f0c37525a85f6c12aa41919da0d3cbd.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\mspime.dll",_RunAs@16
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2904

C:\Windows\mspime.dll

Filesize
11KB

MD5
5b7d3cfe5ad2a76180004f106b416bfa

SHA1
698c9cfc3133180c667f036ed5b4b85b685694c6

SHA256
21ce2dce853af885d9eb12eec5232a96fbae0baafeb27fbf859908d014f02645

SHA512
115188926cbf51781654f174f52a5fbff84c8243cf15b7e73d656046f3a29c6ac8d02fcbf0867320e197980345cc1e02cf9e2a551d58b969eb06d6261442cdc6

Download Submit
memory/2904-7-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2904-10-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3036-2-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3036-1-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3036-0-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3036-8-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download