247bf157e683c370aa9d355da0fca95c2f2934110390bd69b7531f16d60eeb62

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d370e723292863b66df4dc9c078c54a.dll
Size

116KB
MD5

3d370e723292863b66df4dc9c078c54a
SHA1

c449db767ef3aec41e1dd9ade4d7848585d34b0b
SHA256

247bf157e683c370aa9d355da0fca95c2f2934110390bd69b7531f16d60eeb62
SHA512

f7b3a854fd655ec82516ce6a12e06f4a4f38b5fe57643abab6cd751764b48d88c661a5965fb8dc4783c74acca5db2a080fedc73d75a19d75c30e167c07949321
SSDEEP

1536:Ww2lTPGB6ZlSs8lXcwsfeGF2Upi+Y8NjgYqor7p0dFfulVJQicacrHtKWUi5ek4G:sTP8lXHNVUgVhcFDcrHoWUike

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\58960:TCP = "58960:TCP:*:Enabled:@xpsp2res.dll,-22004"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\22111:TCP = "22111:TCP:*:Enabled:@xpsp2res.dll,-22004"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\4778:TCP = "4778:TCP:*:Enabled:@xpsp2res.dll,-22004"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\14593:TCP = "14593:TCP:*:Enabled:@xpsp2res.dll,-22004"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\47892:TCP = "47892:TCP:*:Enabled:@xpsp2res.dll,-22004"	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	rundll32.exe

Blocklisted process makes network request 25 IoCs

flow	pid	Process
9	4804	rundll32.exe
43	4804	rundll32.exe
103	4804	rundll32.exe
187	4804	rundll32.exe
188	4804	rundll32.exe
189	4804	rundll32.exe
190	4804	rundll32.exe
191	4804	rundll32.exe
192	4804	rundll32.exe
193	4804	rundll32.exe
194	4804	rundll32.exe
209	4804	rundll32.exe
210	4804	rundll32.exe
211	4804	rundll32.exe
229	4804	rundll32.exe
230	4804	rundll32.exe
243	4804	rundll32.exe
244	4804	rundll32.exe
245	4804	rundll32.exe
265	4804	rundll32.exe
266	4804	rundll32.exe
152	4804	rundll32.exe
153	4804	rundll32.exe
154	4804	rundll32.exe
156	4804	rundll32.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
904	netsh.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	68.180.131.16
Destination IP	198.41.0.4
Destination IP	192.12.94.30
Destination IP	68.180.131.16

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\3d370e723292863b66df4dc9c078c54a.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3d370e723292863b66df4dc9c078c54a.dll	rundll32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B806A0E5-46D5-277D-7DF2-68E0A53CE5C1}	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 4804	556	rundll32.exe	16
PID 556 wrote to memory of 4804	556	rundll32.exe	16
PID 556 wrote to memory of 4804	556	rundll32.exe	16
PID 4804 wrote to memory of 904	4804	rundll32.exe	106
PID 4804 wrote to memory of 904	4804	rundll32.exe	106
PID 4804 wrote to memory of 904	4804	rundll32.exe	106

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d370e723292863b66df4dc9c078c54a.dll,#1
1⤵
- Modifies firewall policy service
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set allowedprogram "%systemroot%\system32\scvhost.exe" enable
  2⤵
  - Modifies Windows Firewall
  PID:904

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d370e723292863b66df4dc9c078c54a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads