f02fcfeecd8befe493b8c70ffcab2360a13f9d3f811db862452fe69ec37077c7

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aa509a9845a0f9e2a1f8c14f9543de7.exe
Size

108KB
MD5

3aa509a9845a0f9e2a1f8c14f9543de7
SHA1

7f308f5bbf0e190c902335c164832ad7bc398ef0
SHA256

f02fcfeecd8befe493b8c70ffcab2360a13f9d3f811db862452fe69ec37077c7
SHA512

b2236f3723142a9e21dade4b5968b2b3c60f3193fa0e9ea8f32e5bd5de8efe2bd9f9bbe92c5cb2c74670f789f8eb70084266db146420e9e88e6eb3d0a1e400e5
SSDEEP

3072:56Oji0kMPo3srsAPECcuu9WNRlJUqQa0SDl7W3:sOjEMw3kGCdnNR0S56

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sfipahub = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mpr2048.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2252	3aa509a9845a0f9e2a1f8c14f9543de7.exe
2412	rundll32.exe
2744	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2412	2252	3aa509a9845a0f9e2a1f8c14f9543de7.exe	28
PID 2252 wrote to memory of 2412	2252	3aa509a9845a0f9e2a1f8c14f9543de7.exe	28
PID 2252 wrote to memory of 2412	2252	3aa509a9845a0f9e2a1f8c14f9543de7.exe	28
PID 2252 wrote to memory of 2412	2252	3aa509a9845a0f9e2a1f8c14f9543de7.exe	28
PID 2252 wrote to memory of 2412	2252	3aa509a9845a0f9e2a1f8c14f9543de7.exe	28
PID 2252 wrote to memory of 2412	2252	3aa509a9845a0f9e2a1f8c14f9543de7.exe	28
PID 2252 wrote to memory of 2412	2252	3aa509a9845a0f9e2a1f8c14f9543de7.exe	28
PID 2412 wrote to memory of 2744	2412	rundll32.exe	29
PID 2412 wrote to memory of 2744	2412	rundll32.exe	29
PID 2412 wrote to memory of 2744	2412	rundll32.exe	29
PID 2412 wrote to memory of 2744	2412	rundll32.exe	29
PID 2412 wrote to memory of 2744	2412	rundll32.exe	29
PID 2412 wrote to memory of 2744	2412	rundll32.exe	29
PID 2412 wrote to memory of 2744	2412	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\3aa509a9845a0f9e2a1f8c14f9543de7.exe
"C:\Users\Admin\AppData\Local\Temp\3aa509a9845a0f9e2a1f8c14f9543de7.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\mpr2048.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mpr2048.dll",iep
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mpr2048.dll

Filesize
108KB

MD5
c019bf4cea2170b9fa543d70d7c33f8b

SHA1
0da34a383f523d73c50bc8a6add9b958c68193d3

SHA256
ca7a3eb22ee24d919ad94ed4934d71fd98e739fc8f958caaea867bd4d4393de8

SHA512
cc9242d9d87d2ed1173d91f5d94573a2c5a49cfd02df55335ba669af558963a7988a7f631c556127ee2f9fa173cd679b89ac23e8085a1641a5a39b93a6a0f4d5

Download Submit
memory/2252-1-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2252-2-0x0000000001E20000-0x0000000001E60000-memory.dmp

Filesize
256KB

Download
memory/2252-0-0x0000000001E20000-0x0000000001E60000-memory.dmp

Filesize
256KB

Download
memory/2252-13-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2412-12-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2412-11-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2412-10-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2412-14-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2412-20-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2412-24-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2744-22-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/2744-23-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/2744-25-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download