0bea327e1efb58821fb0c28a3ba1dfd805b5606806b53e027c63476767c9daef

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 14:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bea327e1efb58821fb0c28a3ba1dfd805b5606806b53e027c63476767c9daef.dll
Size

2.2MB
MD5

ad4d8860696989487fdad0f678fce3c9
SHA1

ba1a707b8d9dc5474543d4f6a7322e3844fd0219
SHA256

0bea327e1efb58821fb0c28a3ba1dfd805b5606806b53e027c63476767c9daef
SHA512

2f22cc557b93d26cc4571f8ebdf29e10e85d01c7e4df7b8419927a2c1395bd8f4146b87d7a36ee894b58f00d9364fa5a36db61e2ddd983d9292dca3188e06d05
SSDEEP

49152:nHKFVI1B65xqvuxC2R5zPQ+V/vqhB6kwPMd33L:nHKF+1eSkCKs+V/+V

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2940	2672	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2672	1996	rundll32.exe	28
PID 1996 wrote to memory of 2672	1996	rundll32.exe	28
PID 1996 wrote to memory of 2672	1996	rundll32.exe	28
PID 1996 wrote to memory of 2672	1996	rundll32.exe	28
PID 1996 wrote to memory of 2672	1996	rundll32.exe	28
PID 1996 wrote to memory of 2672	1996	rundll32.exe	28
PID 1996 wrote to memory of 2672	1996	rundll32.exe	28
PID 2672 wrote to memory of 2940	2672	rundll32.exe	29
PID 2672 wrote to memory of 2940	2672	rundll32.exe	29
PID 2672 wrote to memory of 2940	2672	rundll32.exe	29
PID 2672 wrote to memory of 2940	2672	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bea327e1efb58821fb0c28a3ba1dfd805b5606806b53e027c63476767c9daef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bea327e1efb58821fb0c28a3ba1dfd805b5606806b53e027c63476767c9daef.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 264
    3⤵
    - Program crash
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads