5983600b61b5a3f0045320786e9a31c6a2803369ba5e3ce894af3c437161bac8

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c107402f7d9d965b34586cc7fee4a3.dll
Size

267KB
MD5

71c107402f7d9d965b34586cc7fee4a3
SHA1

5c819392271d9685b878b8d85289174c75c409e3
SHA256

5983600b61b5a3f0045320786e9a31c6a2803369ba5e3ce894af3c437161bac8
SHA512

371d450393b77650a573c5c1137db6d39a8a3214a43679800bb4ad3c888af05b562591462cb9d1f99154252e03f5ee9ef67a5dec93a284ccad54326b5a5ca619
SSDEEP

3072:3gyowuYTNG0g/mBaY4uzBexLvEKh3N4QXdz5myiYxomfewV:TowbJ3l4u8RvEy4QXdz5mOxomfewV

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\500:TCP = "500:TCP:*:Enabled"	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	rundll32.exe
Token: SeShutdownPrivilege	2532	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2532	1688	rundll32.exe	85
PID 1688 wrote to memory of 2532	1688	rundll32.exe	85
PID 1688 wrote to memory of 2532	1688	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c107402f7d9d965b34586cc7fee4a3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c107402f7d9d965b34586cc7fee4a3.dll,#1
  2⤵
  - Modifies firewall policy service
  - Suspicious use of AdjustPrivilegeToken
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-0-0x0000000010000000-0x0000000010069000-memory.dmp

Filesize
420KB

Download
memory/2532-1-0x0000000010000000-0x0000000010069000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads