5b8be73276a2447f9128724eb5563b34c7178a82b4e2e9bcfe56f60c87dc84d8

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38ecc7d5925c74865593202c07ad7235.dll
Size

634KB
MD5

38ecc7d5925c74865593202c07ad7235
SHA1

26bc0d81f8dcb7b9934bc9170c35e3dda5392861
SHA256

5b8be73276a2447f9128724eb5563b34c7178a82b4e2e9bcfe56f60c87dc84d8
SHA512

d954928453ab42610f7e33c383b7ac4421314f6c8baf8422673b882f8056559af8267816bc871e23ebf479f08dd96913089c5fd44129a61445ddea417662d679
SSDEEP

12288:Ppt/90f0PsKJcH812JVrMa952t7FXGOFjTs3fsTq5lVDRdQ:z68POH8QJVr2djTq0eDFR

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gzugs.sys	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\{646BD6D86619930BEBCE93AEC6C0CC8B}\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\9A1E.tmp"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	regsvr32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2036	1604	rundll32.exe	28
PID 1604 wrote to memory of 2036	1604	rundll32.exe	28
PID 1604 wrote to memory of 2036	1604	rundll32.exe	28
PID 1604 wrote to memory of 2036	1604	rundll32.exe	28
PID 1604 wrote to memory of 2036	1604	rundll32.exe	28
PID 1604 wrote to memory of 2036	1604	rundll32.exe	28
PID 1604 wrote to memory of 2036	1604	rundll32.exe	28
PID 2036 wrote to memory of 2392	2036	rundll32.exe	29
PID 2036 wrote to memory of 2392	2036	rundll32.exe	29
PID 2036 wrote to memory of 2392	2036	rundll32.exe	29
PID 2036 wrote to memory of 2392	2036	rundll32.exe	29
PID 2036 wrote to memory of 2392	2036	rundll32.exe	29
PID 2036 wrote to memory of 2392	2036	rundll32.exe	29
PID 2036 wrote to memory of 2392	2036	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\38ecc7d5925c74865593202c07ad7235.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\38ecc7d5925c74865593202c07ad7235.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\35B0.tmp
    3⤵
    - Loads dropped DLL
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35B0.tmp

Filesize
193KB

MD5
f8ad2e981476ac3fff86df40c5ddc264

SHA1
ce7e7380eae7ff44d52035025ee03121d461171b

SHA256
5059b4b6f046210e695d82c16a31fdf2b7b8fb9734ac20881b4dd4700e2e42c1

SHA512
ddc54bd17ecdd4d0e66a033165c2490221c32fd16ced91a3babda42f7670b2696649aa0feadfac9e864955bc1ade6d6df2f01c0e46996ee9dda03d39bf6c3185

Download Submit
\Users\Admin\AppData\Local\Temp\35B0.tmp

Filesize
155KB

MD5
619284b7c5eb1ed8fba3de3b31b987cb

SHA1
c5bd3af78705a24442cc10809cffe77a9ea57fcf

SHA256
280fd4e34fd3bd5c1c7daa2796b6140d8ac2add7aef6b2d03b97f29bc86aa035

SHA512
dbb775eaf3526fd50bdd71e67712b832c15f627f5045bf1904b1d9abbac4c1795aac75fe4f2daf3de81eaf7693c8d1916949989da57908d7d88c60440607aed1

Download Submit
memory/2036-0-0x0000000000340000-0x00000000003D4000-memory.dmp

Filesize
592KB

Download
memory/2036-1-0x0000000010000000-0x0000000010093000-memory.dmp

Filesize
588KB

Download
memory/2036-13-0x0000000000340000-0x00000000003D4000-memory.dmp

Filesize
592KB

Download
memory/2392-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2392-8-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads