31aff50eb85d6f14c926e7b01024c758fdb73a63fa67ac3d19b9c86d487680a9

Analysis

max time kernel
141s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 17:44

Target

6fea660213695d45e372de933fefc8fc.dll
Size

20KB
MD5

6fea660213695d45e372de933fefc8fc
SHA1

39fc2ac9da51618072e02fcb10eb8497edcff7ad
SHA256

31aff50eb85d6f14c926e7b01024c758fdb73a63fa67ac3d19b9c86d487680a9
SHA512

10d2715086147a6d252bf8d6f07e581d16f6b33e9fbcdd9e41b4ec98400a7b851b74517a672457a2f31decb755a385f31d5ea8ced6858ac7623d2b2b342482ea
SSDEEP

384:6oRA8jd7l0H1niWtXS0eaWekamFSMOFsPss0P3v6SJrfOVTCU3iNF73FoashLWGN:6id7GH1nZCv7FSMOFsPss0P3vdJjONC2

Score

7^/10

persistence

Allows Network login with blank passwords 1 TTPs 1 IoCs

Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0"	rundll32.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 116	1376	rundll32.exe	85
PID 1376 wrote to memory of 116	1376	rundll32.exe	85
PID 1376 wrote to memory of 116	1376	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fea660213695d45e372de933fefc8fc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fea660213695d45e372de933fefc8fc.dll,#1
  2⤵
  - Allows Network login with blank passwords
  - Modifies WinLogon
  PID:116