1e56a2d3b984bfe154c680e121be7a7b2a3584d4ef6966a685d1e3da0851e051

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 09:40

Target

4b1861da9beb0685fd7d87e0640afa34.dll
Size

29.7MB
MD5

4b1861da9beb0685fd7d87e0640afa34
SHA1

00297814afbca6cf228e77846a756ccd70b45001
SHA256

1e56a2d3b984bfe154c680e121be7a7b2a3584d4ef6966a685d1e3da0851e051
SHA512

d44778ef4f3af099e613a712e1c030b9d55a5bb86be63c6502ccdf37f9e1d9baa7ec70dd205a73955c877b2d06295de03c1430afddf36f2ebb3d80d2dc604ce7
SSDEEP

6144:iuaGoMIaxSCzXtDqLip8+Q7Vk2L0H0Vn9jESBGMOAdUZiVINUZ3nnlxRc:iMoMIa4CzFYipq3G0dHpdUZiV1Z3lx+

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
2880	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wz93001.dll	rundll32.exe
File created	C:\WINDOWS\SysWOW64\TesSafe.sys	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2880	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2880	1068	rundll32.exe	28
PID 1068 wrote to memory of 2880	1068	rundll32.exe	28
PID 1068 wrote to memory of 2880	1068	rundll32.exe	28
PID 1068 wrote to memory of 2880	1068	rundll32.exe	28
PID 1068 wrote to memory of 2880	1068	rundll32.exe	28
PID 1068 wrote to memory of 2880	1068	rundll32.exe	28
PID 1068 wrote to memory of 2880	1068	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b1861da9beb0685fd7d87e0640afa34.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b1861da9beb0685fd7d87e0640afa34.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2880

\Windows\SysWOW64\wz93001.dll

Filesize
1.2MB

MD5
6f28a3e65136ccabe05f002fa5d6117d

SHA1
9632893b0555d269cf65739879079be2be666732

SHA256
edb68800bb650318e7f73d284ec94c369f25e628a6847790874500c706824ad1

SHA512
54b9179621eee942ff7219d1d2cfeaf850bf786595e6aab6d901f606f58ae66faf81b1b02db9bae8d66d74b4c6412cb305370f34d1f2dc150a6a5d12babd5926

Download Submit
memory/2880-3-0x0000000001F30000-0x00000000020CD000-memory.dmp

Filesize
1.6MB

Download
memory/2880-4-0x0000000001F30000-0x00000000020CD000-memory.dmp

Filesize
1.6MB

Download
memory/2880-6-0x0000000001F30000-0x00000000020CD000-memory.dmp

Filesize
1.6MB

Download
memory/2880-8-0x0000000001F30000-0x00000000020CD000-memory.dmp

Filesize
1.6MB

Download