Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 11:38
Behavioral task
behavioral1
Sample
89696fcee3142277741eda94ddfe0395.dll
Resource
win7-20231215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
89696fcee3142277741eda94ddfe0395.dll
-
Size
23KB
-
MD5
89696fcee3142277741eda94ddfe0395
-
SHA1
c0081733a61c1fa564f4e44b854551ab24f262d0
-
SHA256
abb1bcce53ea3436a9e0a2ae3cbc4ab2853ee22c56d06b8343f482d9b864df15
-
SHA512
f882f80fb0d8d027b6f4b9eb3f521dd8f1ddd3091776bea71d7f3ae984180f4db62fa8e1b428ef8d24fd9f80b3f793091898d5bfef10f4c48f318a20affc1cfd
-
SSDEEP
384:HLV4vxhua2SOcIZO27TRvjjm2cs3ysOk2FufDkKLTvN5V8eTCoq5uN9o13+su1yp:H2xUeOLDTk2jya2ALDfv1Vg5ubP1Xesi
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32.exe = "C:\\Windows\\SysWOW64\\rundll32.exe:*:Enabled:rundll32" rundll32.exe -
resource yara_rule behavioral1/memory/2196-0-0x0000000010000000-0x0000000010042000-memory.dmp upx behavioral1/memory/2196-1-0x0000000010000000-0x0000000010042000-memory.dmp upx behavioral1/memory/2196-2-0x0000000010000000-0x0000000010042000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hrpdcf.bin rundll32.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2196 1932 rundll32.exe 28 PID 1932 wrote to memory of 2196 1932 rundll32.exe 28 PID 1932 wrote to memory of 2196 1932 rundll32.exe 28 PID 1932 wrote to memory of 2196 1932 rundll32.exe 28 PID 1932 wrote to memory of 2196 1932 rundll32.exe 28 PID 1932 wrote to memory of 2196 1932 rundll32.exe 28 PID 1932 wrote to memory of 2196 1932 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89696fcee3142277741eda94ddfe0395.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89696fcee3142277741eda94ddfe0395.dll,#12⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
PID:2196
-