1a57da057e9409384bc27102df1733de7c4197341813930ff5b7adc7abfdcd99

Analysis

max time kernel
189s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 12:07

Target

43a6a406c7c3020c60787e881f658e2d.dll
Size

111KB
MD5

43a6a406c7c3020c60787e881f658e2d
SHA1

9891c2253d50c6459cacd5ca8a8e411ff71ba1ba
SHA256

1a57da057e9409384bc27102df1733de7c4197341813930ff5b7adc7abfdcd99
SHA512

88715e48f1c46dd07ed4b743278aec5b6ed9593663e0808fbbf2809fe100b245916f009018bd9d8582069d4ffc0549182464d76693645183660df8a856060429
SSDEEP

1536:CjbMs6DZ8vp2f89uEYFHlbnt0DfCEfyHHe7EgUOhCSm2K8bDs7oV:C/MbF0Wk7fyn8CAbD1V

Score

7^/10

upx

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2516-0-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2516-1-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/2516-2-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/3016-7-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/files/0x001000000000b1f5-6.dat	upx
behavioral1/memory/2516-8-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral1/memory/3016-9-0x0000000010000000-0x000000001001E000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\msjeome.dll	rundll32.exe
File opened for modification	C:\Windows\msjeome.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "43a6a406c7c3020c60787e881f658e2d.dll,1312253952,359527695,-1814625877"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2516	2808	rundll32.exe	29
PID 2808 wrote to memory of 2516	2808	rundll32.exe	29
PID 2808 wrote to memory of 2516	2808	rundll32.exe	29
PID 2808 wrote to memory of 2516	2808	rundll32.exe	29
PID 2808 wrote to memory of 2516	2808	rundll32.exe	29
PID 2808 wrote to memory of 2516	2808	rundll32.exe	29
PID 2808 wrote to memory of 2516	2808	rundll32.exe	29
PID 2516 wrote to memory of 3016	2516	rundll32.exe	30
PID 2516 wrote to memory of 3016	2516	rundll32.exe	30
PID 2516 wrote to memory of 3016	2516	rundll32.exe	30
PID 2516 wrote to memory of 3016	2516	rundll32.exe	30
PID 2516 wrote to memory of 3016	2516	rundll32.exe	30
PID 2516 wrote to memory of 3016	2516	rundll32.exe	30
PID 2516 wrote to memory of 3016	2516	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\43a6a406c7c3020c60787e881f658e2d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\43a6a406c7c3020c60787e881f658e2d.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\msjeome.dll",_RunAs@16
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3016

C:\Windows\msjeome.dll

Filesize
111KB

MD5
43a6a406c7c3020c60787e881f658e2d

SHA1
9891c2253d50c6459cacd5ca8a8e411ff71ba1ba

SHA256
1a57da057e9409384bc27102df1733de7c4197341813930ff5b7adc7abfdcd99

SHA512
88715e48f1c46dd07ed4b743278aec5b6ed9593663e0808fbbf2809fe100b245916f009018bd9d8582069d4ffc0549182464d76693645183660df8a856060429

Download Submit
memory/2516-0-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2516-1-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2516-2-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2516-8-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3016-7-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/3016-9-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download