20e1e65ffea5a897b53b912239d922d3a434e8f611ec18e405c77da26ae3ab15

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15e65d6c2fbd6adb2a7049593d897fb9.dll
Size

13.3MB
MD5

15e65d6c2fbd6adb2a7049593d897fb9
SHA1

0caa28995b7d060b4a6bd54ed04f3aeb52fee2f6
SHA256

20e1e65ffea5a897b53b912239d922d3a434e8f611ec18e405c77da26ae3ab15
SHA512

198aefbb332351e4516ef349c93fff0233fcbd001329a70af2bacd91eb441e2217a69d0c0934d24712a43e388d9d3079f7cced1e247c27be7ac00eda6c79bd36
SSDEEP

98304:A3PGwBH4I4fWMldQo67yhwnbcQpIzoiAa9cPq/F8DjFP0/+v3ggSfRP5GHlT0TGd:/wSpQo7IIzOFPq/FoUP5GFIpv

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	2232	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2232	1732	rundll32.exe	28
PID 1732 wrote to memory of 2232	1732	rundll32.exe	28
PID 1732 wrote to memory of 2232	1732	rundll32.exe	28
PID 1732 wrote to memory of 2232	1732	rundll32.exe	28
PID 1732 wrote to memory of 2232	1732	rundll32.exe	28
PID 1732 wrote to memory of 2232	1732	rundll32.exe	28
PID 1732 wrote to memory of 2232	1732	rundll32.exe	28
PID 2232 wrote to memory of 2832	2232	rundll32.exe	29
PID 2232 wrote to memory of 2832	2232	rundll32.exe	29
PID 2232 wrote to memory of 2832	2232	rundll32.exe	29
PID 2232 wrote to memory of 2832	2232	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15e65d6c2fbd6adb2a7049593d897fb9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\15e65d6c2fbd6adb2a7049593d897fb9.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 624
    3⤵
    - Program crash
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-0-0x00000000020B0000-0x0000000002E0A000-memory.dmp

Filesize
13.4MB

Download
memory/2232-2-0x00000000020B0000-0x0000000002E0A000-memory.dmp

Filesize
13.4MB

Download