2d7a9d3ee529d88957a6577843c6b33a62eccf6021b263ed474ceda578dbd515

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:11

Target

4d8e67e245c434c048e01f05e66573cc.dll
Size

656KB
MD5

4d8e67e245c434c048e01f05e66573cc
SHA1

9d3148caa362de7ca3b86e3e6a0b057c56eef138
SHA256

2d7a9d3ee529d88957a6577843c6b33a62eccf6021b263ed474ceda578dbd515
SHA512

2493047dd7e601609d54f7975b41c6e11b79d2cad779452ce3aff01c74c19d89a028c20a49fd76eb6b56ca119a887c8548015a761b5e87bf55da4bd09c81e475
SSDEEP

12288:xmviQh7WAZPK40ZPD6FPWUbTrX1XktX/unEIZUlxOnY7a+8:x8FPpq2FPzTrXuvdIKxQX/

Score

8^/10

Blocklisted process makes network request 1 IoCs

flow	pid	Process
232	4636	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4636	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4636	1032	rundll32.exe	88
PID 1032 wrote to memory of 4636	1032	rundll32.exe	88
PID 1032 wrote to memory of 4636	1032	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d8e67e245c434c048e01f05e66573cc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d8e67e245c434c048e01f05e66573cc.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: RenamesItself
  PID:4636

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact