Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7500fc0d9e7e9feb95927f1e8b723ac9.dll
Resource
win7-20231215-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
7500fc0d9e7e9feb95927f1e8b723ac9.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
7500fc0d9e7e9feb95927f1e8b723ac9.dll
-
Size
312KB
-
MD5
7500fc0d9e7e9feb95927f1e8b723ac9
-
SHA1
5484971453c7a1d8db9914da3dad6f1daf655443
-
SHA256
5aefe8534081069167f25a427c3a9803f3a73127c760bc8eac9fbaf62f1a0ed7
-
SHA512
16198d0ed3b568ce9e4778daf5e1f7fe379916dc5c75db53feb282daf5303410ae1566280feae9cc753e691f2b44da04a6515a8274f697141b96c69bfea3d6fd
-
SSDEEP
6144:mIf2GHXP+Cce92y6apC53mZGejsi1WlkI:mItHXPdce92y6NlmZGejukI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gnowmebk = "{6B05F9E5-5C8D-4B95-8B57-809FA6C7DB31}" rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B05F9E5-5C8D-4B95-8B57-809FA6C7DB31}\InProcServer32\ = "C:\\Windows\\gnowmebk.dll" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B05F9E5-5C8D-4B95-8B57-809FA6C7DB31}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B05F9E5-5C8D-4B95-8B57-809FA6C7DB31} rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3024 wrote to memory of 4412 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 4412 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 4412 3024 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7500fc0d9e7e9feb95927f1e8b723ac9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7500fc0d9e7e9feb95927f1e8b723ac9.dll,#12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4412