e32734e626eef4aef9b97c5213bd9b3261b01b54a78cb08638f7abd2e168ccc2

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56bd648bb71d99beb5d47c6b9a3c9a9a.dll
Size

110KB
MD5

56bd648bb71d99beb5d47c6b9a3c9a9a
SHA1

71a15d20367ad2b1da65ca7432355df6453f1bf9
SHA256

e32734e626eef4aef9b97c5213bd9b3261b01b54a78cb08638f7abd2e168ccc2
SHA512

77a53b4ddf1a1844d63d937b30315f7bedd46d970b442777bd7c52fc7385db8c9be2a38ce1686186894c7e381ce1633d20e2835c5da50211a05d667e93eb7f2e
SSDEEP

3072:B1Tsdce6FibmBX8pTHqtG9UeKmPjOkKMMiU1m9:MdsiGspTHOneKmPZKNP

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hgfeccsys = "rundll32.exe \"c:\\users\\admin\\appdata\\local\\temp\\56bd648bb71d99beb5d47c6b9a3c9a9a.dll\",s"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\vttqppsys = "rundll32.exe \"c:\\users\\admin\\appdata\\local\\temp\\56bd648bb71d99beb5d47c6b9a3c9a9a.dll\",s"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe
Token: SeDebugPrivilege	1696	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1696	2156	rundll32.exe	16
PID 2156 wrote to memory of 1696	2156	rundll32.exe	16
PID 2156 wrote to memory of 1696	2156	rundll32.exe	16
PID 2156 wrote to memory of 1696	2156	rundll32.exe	16
PID 2156 wrote to memory of 1696	2156	rundll32.exe	16
PID 2156 wrote to memory of 1696	2156	rundll32.exe	16
PID 2156 wrote to memory of 1696	2156	rundll32.exe	16
PID 1696 wrote to memory of 396	1696	rundll32.exe	25
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1944	1696	rundll32.exe	9
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1944	1696	rundll32.exe	9
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1944	1696	rundll32.exe	9
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11
PID 1696 wrote to memory of 432	1696	rundll32.exe	3
PID 1696 wrote to memory of 1116	1696	rundll32.exe	12
PID 1696 wrote to memory of 1172	1696	rundll32.exe	5
PID 1696 wrote to memory of 1252	1696	rundll32.exe	11

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1944

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\56bd648bb71d99beb5d47c6b9a3c9a9a.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\56bd648bb71d99beb5d47c6b9a3c9a9a.dll,#1
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-2-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1696-0-0x00000000000C0000-0x00000000000C8000-memory.dmp

Filesize
32KB

Download
memory/1696-1-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1696-56-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download