1eaedd86fbcb8a9c954f2506e4b39c8c3a0131d3da44369a9188d16985babf58

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 20:31

Target

548231a9467187c76fc6538c09d182de.dll
Size

43KB
MD5

548231a9467187c76fc6538c09d182de
SHA1

8e550ab8b6d377b27bdcc4123736aff3693e8a87
SHA256

1eaedd86fbcb8a9c954f2506e4b39c8c3a0131d3da44369a9188d16985babf58
SHA512

68d485425cbf4721c205f9b810dba8b6ca64feec8b8c66f089331680eea4769aa547876461288040b2252f4c84046c9503d7434b1487745ecd1e944661fd268c
SSDEEP

768:+IgjbXdxAf+jua33sfIgxoSazgPyP4BACPDpD3wdA+VH1Bxk8IaCeudnv8gzMcl8:HB01eyP4BACPN3wdnxk8HuBvh5h6

Score

10^/10

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	rundll32.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\548231a9467187c76fc6538c09d182de.exe"	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1716	2020	rundll32.exe	28
PID 2020 wrote to memory of 1716	2020	rundll32.exe	28
PID 2020 wrote to memory of 1716	2020	rundll32.exe	28
PID 2020 wrote to memory of 1716	2020	rundll32.exe	28
PID 2020 wrote to memory of 1716	2020	rundll32.exe	28
PID 2020 wrote to memory of 1716	2020	rundll32.exe	28
PID 2020 wrote to memory of 1716	2020	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\548231a9467187c76fc6538c09d182de.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\548231a9467187c76fc6538c09d182de.dll,#1
  2⤵
  - Modifies firewall policy service
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  PID:1716