cebb82df1b1f2f72ef2f58995dc118bb1ea223da1fcf039db6ad2fbcc4218bcb

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

765716198b5752bb31bdddef5c99b1c4.dll
Size

8KB
MD5

765716198b5752bb31bdddef5c99b1c4
SHA1

1bf5f82885cc4d5273c50efcb245edca89eec18c
SHA256

cebb82df1b1f2f72ef2f58995dc118bb1ea223da1fcf039db6ad2fbcc4218bcb
SHA512

df985c7e523137cb37f95d9fc504284b5ed43b3226a7144107bdabf65bfd4dc00a106ec4961185c75e79668e954605028cd1df200e92413c440e6d53e633eca9
SSDEEP

192:8wjmxwcvsvPtxFF7iBaGy72TyFc7eCbkgUw9h:Xqxrv2VF7ra1SF2

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4296	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 4296	3560	rundll32.exe	85
PID 3560 wrote to memory of 4296	3560	rundll32.exe	85
PID 3560 wrote to memory of 4296	3560	rundll32.exe	85
PID 4296 wrote to memory of 3328	4296	rundll32.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3328
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\765716198b5752bb31bdddef5c99b1c4.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\765716198b5752bb31bdddef5c99b1c4.dll,#1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4296-0-0x0000000025000000-0x0000000025015000-memory.dmp

Filesize
84KB

Download