86b95b378b9709584ea3a7ca62c4b17049462adbe816ccee11ee872a8221e74c

Analysis

max time kernel
146s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2672124b4ca7f4756e60595125db2b7d.dll
Size

12KB
MD5

2672124b4ca7f4756e60595125db2b7d
SHA1

41f88f549578493ee6c7aedda0efba1d13dc700c
SHA256

86b95b378b9709584ea3a7ca62c4b17049462adbe816ccee11ee872a8221e74c
SHA512

9bad7601122e7b036e04d336d50e531ba80fcc97a2aa925943e44ea8d18d4b991ae9d653544a94cd12b8b41ed8c8483b48df97fd091fa4b37e3fa207767d1353
SSDEEP

384:YR5LLazuQkuSG68RLKiZcWwC/zMywDZ5XB:YXa9kO68RLz9weMzZ5R

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msosdohs00.dll	rundll32.exe
File created	C:\Windows\SysWOW64\msosdohs00.dll	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1476	rundll32.exe
1476	rundll32.exe
1476	rundll32.exe
1476	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1476	1872	rundll32.exe	15
PID 1872 wrote to memory of 1476	1872	rundll32.exe	15
PID 1872 wrote to memory of 1476	1872	rundll32.exe	15
PID 1476 wrote to memory of 612	1476	rundll32.exe	5
PID 1476 wrote to memory of 672	1476	rundll32.exe	3
PID 1476 wrote to memory of 764	1476	rundll32.exe	6
PID 1476 wrote to memory of 760	1476	rundll32.exe	96
PID 1476 wrote to memory of 788	1476	rundll32.exe	95
PID 1476 wrote to memory of 912	1476	rundll32.exe	94
PID 1476 wrote to memory of 956	1476	rundll32.exe	93
PID 1476 wrote to memory of 316	1476	rundll32.exe	9
PID 1476 wrote to memory of 736	1476	rundll32.exe	91
PID 1476 wrote to memory of 428	1476	rundll32.exe	90
PID 1476 wrote to memory of 1000	1476	rundll32.exe	10
PID 1476 wrote to memory of 512	1476	rundll32.exe	88
PID 1476 wrote to memory of 1104	1476	rundll32.exe	87
PID 1476 wrote to memory of 1120	1476	rundll32.exe	86
PID 1476 wrote to memory of 1204	1476	rundll32.exe	85
PID 1476 wrote to memory of 1212	1476	rundll32.exe	11
PID 1476 wrote to memory of 1264	1476	rundll32.exe	84
PID 1476 wrote to memory of 1272	1476	rundll32.exe	83
PID 1476 wrote to memory of 1384	1476	rundll32.exe	82
PID 1476 wrote to memory of 1400	1476	rundll32.exe	81
PID 1476 wrote to memory of 1504	1476	rundll32.exe	80
PID 1476 wrote to memory of 1544	1476	rundll32.exe	79
PID 1476 wrote to memory of 1560	1476	rundll32.exe	78
PID 1476 wrote to memory of 1632	1476	rundll32.exe	12
PID 1476 wrote to memory of 1652	1476	rundll32.exe	77
PID 1476 wrote to memory of 1724	1476	rundll32.exe	76
PID 1476 wrote to memory of 1764	1476	rundll32.exe	75
PID 1476 wrote to memory of 1836	1476	rundll32.exe	74
PID 1476 wrote to memory of 1852	1476	rundll32.exe	73
PID 1476 wrote to memory of 1864	1476	rundll32.exe	72
PID 1476 wrote to memory of 1880	1476	rundll32.exe	71
PID 1476 wrote to memory of 1944	1476	rundll32.exe	70
PID 1476 wrote to memory of 2044	1476	rundll32.exe	69
PID 1476 wrote to memory of 1428	1476	rundll32.exe	68
PID 1476 wrote to memory of 1784	1476	rundll32.exe	13
PID 1476 wrote to memory of 2164	1476	rundll32.exe	65
PID 1476 wrote to memory of 2264	1476	rundll32.exe	64
PID 1476 wrote to memory of 2364	1476	rundll32.exe	63
PID 1476 wrote to memory of 2372	1476	rundll32.exe	62
PID 1476 wrote to memory of 2560	1476	rundll32.exe	61
PID 1476 wrote to memory of 2600	1476	rundll32.exe	60
PID 1476 wrote to memory of 2620	1476	rundll32.exe	59
PID 1476 wrote to memory of 2648	1476	rundll32.exe	58
PID 1476 wrote to memory of 2664	1476	rundll32.exe	57
PID 1476 wrote to memory of 2692	1476	rundll32.exe	56
PID 1476 wrote to memory of 2888	1476	rundll32.exe	55
PID 1476 wrote to memory of 2984	1476	rundll32.exe	54
PID 1476 wrote to memory of 3056	1476	rundll32.exe	53
PID 1476 wrote to memory of 412	1476	rundll32.exe	51
PID 1476 wrote to memory of 3332	1476	rundll32.exe	50
PID 1476 wrote to memory of 3436	1476	rundll32.exe	49
PID 1476 wrote to memory of 3556	1476	rundll32.exe	48
PID 1476 wrote to memory of 3744	1476	rundll32.exe	47
PID 1476 wrote to memory of 3840	1476	rundll32.exe	46
PID 1476 wrote to memory of 3904	1476	rundll32.exe	45
PID 1476 wrote to memory of 3988	1476	rundll32.exe	44
PID 1476 wrote to memory of 4156	1476	rundll32.exe	43
PID 1476 wrote to memory of 4532	1476	rundll32.exe	41
PID 1476 wrote to memory of 4236	1476	rundll32.exe	38
PID 1476 wrote to memory of 3664	1476	rundll32.exe	37
PID 1476 wrote to memory of 3144	1476	rundll32.exe	36

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:764
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1784

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2672124b4ca7f4756e60595125db2b7d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2672124b4ca7f4756e60595125db2b7d.dll,#1
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4480

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4060

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3444

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:208

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
PID:4128

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2580

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2136

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3664

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4236

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:412

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3056

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2888

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2648

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1428

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-3-0x000000001BFC0000-0x000000001BFC1000-memory.dmp

Filesize
4KB

Download
memory/1476-0-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download
memory/2984-50-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download