fb6dd5f8e6fd51478af13fffec5c7e9e53e47d3829a439f0290fdbc18d672736

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 07:26

Target

8e8f70b886686778f4895fa779464f14.dll
Size

468KB
MD5

8e8f70b886686778f4895fa779464f14
SHA1

d4c9bc47fcaa574b02d60a6d236eed4a43e23163
SHA256

fb6dd5f8e6fd51478af13fffec5c7e9e53e47d3829a439f0290fdbc18d672736
SHA512

1f886a39e56c79113f785a10982b2843c2f17d07c7fdb33bee3992c18e9bda5214b53136afef930e10546eeea37f0214cc168d94ad01e4310ba00a22d9a9b681
SSDEEP

12288:ICTtmF/aOiHI4grxo7Xgy7v32lAvBu1+XHLC5:ICBmF/aOj4grCbgy7PAA51HLC5

Score

5^/10

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\SQL_Anywhere_10\sqlactnm.h	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\0009\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\000C\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\0007\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\0011\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\0804\dbctrs10.ini	lodctr.exe
File created	C:\Windows\inf\SQL_Anywhere_10\sqlactnm.h	lodctr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2196	1648	regsvr32.exe	28
PID 1648 wrote to memory of 2196	1648	regsvr32.exe	28
PID 1648 wrote to memory of 2196	1648	regsvr32.exe	28
PID 1648 wrote to memory of 2196	1648	regsvr32.exe	28
PID 1648 wrote to memory of 2196	1648	regsvr32.exe	28
PID 1648 wrote to memory of 2196	1648	regsvr32.exe	28
PID 1648 wrote to memory of 2196	1648	regsvr32.exe	28
PID 2196 wrote to memory of 3020	2196	regsvr32.exe	29
PID 2196 wrote to memory of 3020	2196	regsvr32.exe	29
PID 2196 wrote to memory of 3020	2196	regsvr32.exe	29
PID 2196 wrote to memory of 3020	2196	regsvr32.exe	29
PID 2196 wrote to memory of 2760	2196	regsvr32.exe	31
PID 2196 wrote to memory of 2760	2196	regsvr32.exe	31
PID 2196 wrote to memory of 2760	2196	regsvr32.exe	31
PID 2196 wrote to memory of 2760	2196	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8e8f70b886686778f4895fa779464f14.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\8e8f70b886686778f4895fa779464f14.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\unlodctr.exe
    unlodctr SQL_Anywhere_10
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\lodctr.exe
    lodctr dbctrs10.ini
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2760

C:\Users\Admin\AppData\Local\Temp\dbctrs10.ini

Filesize
107KB

MD5
6b293c76e5f34fef64ab3da27a18a6c8

SHA1
2d32527b006ec935ec296e94b9c36f97e39a9186

SHA256
d81464266350203bd8033a33399bc63bc5e3d18d5b3972fcd68b005b1d51e2ab

SHA512
f3c22ff28d4d99054a5bb79f4af32108c6fcc3d59d7f150ab56da6bd8f3b55ee3c8cab8fa5c13b1583c6b09da5a5cf76266d7c7ee09c48cbdf2fca26607d964f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlactnm.h

Filesize
4KB

MD5
4820834e998beaf599ee05ad783b7723

SHA1
00fea601f057169691ca4427b47cadb292134c95

SHA256
94df24c5c5cf8f7faa2ee7a09dec407d26bbcce6bd983e37a52cfc6f93576cf3

SHA512
3b7bf19d20b2ba265e956c772475f18e8d36fb2a0b054f3afd30db6d1d0303cf4f07227a4053bb841b87d7142b92d8b1de01db6c3d38cbc8866f1caa16ece693

Download Submit
memory/2196-0-0x0000000065150000-0x00000000651C5000-memory.dmp

Filesize
468KB

Download