1cb312b1d603c2d153552d90c9adc33dc7535eff8b79d634b78b982322f7f02c

Analysis

max time kernel
19s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 04:50

Target

28dbcfc24102c8f14f8b4792364345a4.dll
Size

36KB
MD5

28dbcfc24102c8f14f8b4792364345a4
SHA1

a61bae79ccb7c6eecc98d1b3e3d232c67ab263c7
SHA256

1cb312b1d603c2d153552d90c9adc33dc7535eff8b79d634b78b982322f7f02c
SHA512

7c8c8b8825f8472555e177d347b98c44725faf4013429c275a01ec4e765534915dee6bac0c06d65af8453663e968dfdb1222673afa9fd5b5719abfb967dd6e44
SSDEEP

768:VfZ2YidJN5kXcyXrCD1tDMByGqnxGm3+IdW:VedEcyXrC/GsnsGdW

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "regedit.exe /s \"%1\""	rundll32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3448	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4036	4532	rundll32.exe	17
PID 4532 wrote to memory of 4036	4532	rundll32.exe	17
PID 4532 wrote to memory of 4036	4532	rundll32.exe	17
PID 4036 wrote to memory of 2816	4036	rundll32.exe	93
PID 4036 wrote to memory of 2816	4036	rundll32.exe	93
PID 4036 wrote to memory of 2816	4036	rundll32.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28dbcfc24102c8f14f8b4792364345a4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\28dbcfc24102c8f14f8b4792364345a4.dll,#1
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\a.reg
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\regedit.exe
      "regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\a.reg"
      4⤵
      Runs .reg file with regedit
      PID:3448

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\a.reg

Filesize
152B

MD5
b100f5324ef74ded0b998e64d07a2e19

SHA1
40b0d7f51bf2dd8451f1b723d21355c471a5fa46

SHA256
3db613d24a75ae220891698c055e1c580a42e58564f568a0510db87581cc2042

SHA512
c12391bb37c334074f7d7e1257b6364fd5cbce848e0a8fe15b8326f54fd9568fe3baec58618c4334027a774a06a08ec249cb71db925c1f85feee6a3d3a816c04

Download Submit