390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64556fba96511df8b7449e7247008886.exe
Size

34KB
MD5

64556fba96511df8b7449e7247008886
SHA1

fc9c01795b3badc3d9402034609417a4f59c0e9a
SHA256

390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb
SHA512

d4d2338cda5851ee81547f7fda1e8f32b2e42bec5b7835accba42eeebe3826a1d54b9c0d1bc0492785aca8dda1da89ddb52ed14fa02e8dea8dc4eb1f5f4b5bff
SSDEEP

384:Z7MO04loobMxJNlf7HG6t1mC8bMWYtwWCnrm0A9EFqGVlz6b1iFOVCYBJPHS/7SC:n0GofNd7XHmC8lpQn+Xy1yOgaH1d0WB

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2240	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	rundll32.exe
2240	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rzt = "C:\\Windows\\Intel\\rundll32.exe"	64556fba96511df8b7449e7247008886.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ztdll.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Intel\rundll32.exe	64556fba96511df8b7449e7247008886.exe
File opened for modification	C:\Windows\Intel\rundll32.exe	64556fba96511df8b7449e7247008886.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
3556	64556fba96511df8b7449e7247008886.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 1460	3556	64556fba96511df8b7449e7247008886.exe	89
PID 3556 wrote to memory of 1460	3556	64556fba96511df8b7449e7247008886.exe	89
PID 3556 wrote to memory of 1460	3556	64556fba96511df8b7449e7247008886.exe	89
PID 3556 wrote to memory of 2240	3556	64556fba96511df8b7449e7247008886.exe	91
PID 3556 wrote to memory of 2240	3556	64556fba96511df8b7449e7247008886.exe	91
PID 3556 wrote to memory of 2240	3556	64556fba96511df8b7449e7247008886.exe	91

C:\Users\Admin\AppData\Local\Temp\64556fba96511df8b7449e7247008886.exe
"C:\Users\Admin\AppData\Local\Temp\64556fba96511df8b7449e7247008886.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$c43B0.tmp.bat
  2⤵
  PID:1460
- C:\Windows\Intel\rundll32.exe
  C:\Windows\Intel\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$c43B0.tmp.bat

Filesize
233B

MD5
f5085936841d5d6db1156f765f5ce202

SHA1
439bd78a1ec6cd1f5a609dbc2a1a329329d87f9c

SHA256
8f1cf3ed53ad04bd535a819d84396b30da2a2d1af03481dfd7127036efe51da3

SHA512
45d3e46a02fa1276d733c25858ac77aab38d1a820100849eb6c4c3ce46842aeaeb85787689a9b19680d6037d8ca97e350c7668212dc856bbb4c99b8b73055f11

Download Submit
C:\Windows\Intel\rundll32.exe

Filesize
34KB

MD5
64556fba96511df8b7449e7247008886

SHA1
fc9c01795b3badc3d9402034609417a4f59c0e9a

SHA256
390b1a58816baeddb270bb8f58e42136f1f4cb0636be5fd5c427e30eac59f9eb

SHA512
d4d2338cda5851ee81547f7fda1e8f32b2e42bec5b7835accba42eeebe3826a1d54b9c0d1bc0492785aca8dda1da89ddb52ed14fa02e8dea8dc4eb1f5f4b5bff

Download Submit
C:\Windows\SysWOW64\ztdll.dll

Filesize
42KB

MD5
08ff261f78012e5e7e8141f754ad10cc

SHA1
7fe186485e0f0193494c315e2ca0979a8a6ae069

SHA256
edec8b512da71e0ba3ec0404b795cbcb7f674ebd0b820590be77c1cbf1c745c3

SHA512
12e58e12a1248c363ae45c78ff2146dfb9b6dbc8022e456b87da35534052ffb14536a751ea78e5f14eec0f461a7bfa90284a8345265cad8f16f87ebe27283283

Download Submit
memory/2240-10-0x0000000000420000-0x0000000000422000-memory.dmp

Filesize
8KB

Download
memory/2240-15-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2240-18-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2240-19-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/3556-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3556-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3556-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download