390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64556fba96511df8b7449e7247008886.exe
Size

34KB
MD5

64556fba96511df8b7449e7247008886
SHA1

fc9c01795b3badc3d9402034609417a4f59c0e9a
SHA256

390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb
SHA512

d4d2338cda5851ee81547f7fda1e8f32b2e42bec5b7835accba42eeebe3826a1d54b9c0d1bc0492785aca8dda1da89ddb52ed14fa02e8dea8dc4eb1f5f4b5bff
SSDEEP

384:Z7MO04loobMxJNlf7HG6t1mC8bMWYtwWCnrm0A9EFqGVlz6b1iFOVCYBJPHS/7SC:n0GofNd7XHmC8lpQn+Xy1yOgaH1d0WB

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
3060	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rzt = "C:\\Windows\\Intel\\rundll32.exe"	64556fba96511df8b7449e7247008886.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ztdll.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Intel\rundll32.exe	64556fba96511df8b7449e7247008886.exe
File created	C:\Windows\Intel\rundll32.exe	64556fba96511df8b7449e7247008886.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
2380	64556fba96511df8b7449e7247008886.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3060	rundll32.exe
3060	rundll32.exe
3060	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3020	2380	64556fba96511df8b7449e7247008886.exe	28
PID 2380 wrote to memory of 3020	2380	64556fba96511df8b7449e7247008886.exe	28
PID 2380 wrote to memory of 3020	2380	64556fba96511df8b7449e7247008886.exe	28
PID 2380 wrote to memory of 3020	2380	64556fba96511df8b7449e7247008886.exe	28
PID 2380 wrote to memory of 3060	2380	64556fba96511df8b7449e7247008886.exe	30
PID 2380 wrote to memory of 3060	2380	64556fba96511df8b7449e7247008886.exe	30
PID 2380 wrote to memory of 3060	2380	64556fba96511df8b7449e7247008886.exe	30
PID 2380 wrote to memory of 3060	2380	64556fba96511df8b7449e7247008886.exe	30
PID 2380 wrote to memory of 3060	2380	64556fba96511df8b7449e7247008886.exe	30
PID 2380 wrote to memory of 3060	2380	64556fba96511df8b7449e7247008886.exe	30
PID 2380 wrote to memory of 3060	2380	64556fba96511df8b7449e7247008886.exe	30

C:\Users\Admin\AppData\Local\Temp\64556fba96511df8b7449e7247008886.exe
"C:\Users\Admin\AppData\Local\Temp\64556fba96511df8b7449e7247008886.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$c18CE.tmp.bat
  2⤵
  - Deletes itself
  PID:3020
- C:\Windows\Intel\rundll32.exe
  C:\Windows\Intel\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$c18CE.tmp.bat

Filesize
233B

MD5
465da0b0a2ff80bc878c5250fa10b7e0

SHA1
9764616a21fbedf0a8ad6e9b4dba9872bbb0757b

SHA256
55ba4e33b51ce9b6243987a96b056358e6d6b9d09e09e7c2e8f61189b1b1e51d

SHA512
0adc179ace24ec97f9baf03d4c1764c3addedab2924eb4b64fe67579b9391c6ab61de0a6b42787130795788b50f064e8f60a36faf7244241d3fc2f3b01dceed1

Download Submit
\Windows\Intel\rundll32.exe

Filesize
34KB

MD5
64556fba96511df8b7449e7247008886

SHA1
fc9c01795b3badc3d9402034609417a4f59c0e9a

SHA256
390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb

SHA512
d4d2338cda5851ee81547f7fda1e8f32b2e42bec5b7835accba42eeebe3826a1d54b9c0d1bc0492785aca8dda1da89ddb52ed14fa02e8dea8dc4eb1f5f4b5bff

Download Submit
\Windows\SysWOW64\ztdll.dll

Filesize
42KB

MD5
08ff261f78012e5e7e8141f754ad10cc

SHA1
7fe186485e0f0193494c315e2ca0979a8a6ae069

SHA256
edec8b512da71e0ba3ec0404b795cbcb7f674ebd0b820590be77c1cbf1c745c3

SHA512
12e58e12a1248c363ae45c78ff2146dfb9b6dbc8022e456b87da35534052ffb14536a751ea78e5f14eec0f461a7bfa90284a8345265cad8f16f87ebe27283283

Download Submit
memory/2380-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2380-17-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2380-19-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/2380-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2380-31-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/3060-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3060-26-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/3060-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3060-28-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/3060-24-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download