1eb510307556d1ed46457852404fcc35aa3ab2f4aae8ea118076f12fa1a06252 | Triage

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c8bcaa1637ac2d5fe8a40fc61c8ce10.dll
Size

13KB
MD5

0c8bcaa1637ac2d5fe8a40fc61c8ce10
SHA1

313bd19492da3eb8cd4842b982ca66cca1624458
SHA256

1eb510307556d1ed46457852404fcc35aa3ab2f4aae8ea118076f12fa1a06252
SHA512

8ab978603c3addf4b5b67f2cddc5bc0d22c13858a7402ca88a7a8a857808f5915a7bce845874548fa72016e17888349691292ae6e5a461f97eb5c792d8110f7a
SSDEEP

192:uPLXtf3j64aURjOqdEkkvJQfFb1511/uNDu8C4hu:iLdf3hRj5dEkkqtbku8nw

Score

1^/10

Malware Config

Signatures

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0c8bcaa1637ac2d5fe8a40fc61c8ce10.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1132	rundll32.exe
1132	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1132	2828	rundll32.exe	32
PID 2828 wrote to memory of 1132	2828	rundll32.exe	32
PID 2828 wrote to memory of 1132	2828	rundll32.exe	32
PID 1132 wrote to memory of 3432	1132	rundll32.exe	42

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c8bcaa1637ac2d5fe8a40fc61c8ce10.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c8bcaa1637ac2d5fe8a40fc61c8ce10.dll,#1
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-0-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download