06e82d57983085740a5eea1abb7571df501fc22d8e97aaa3d54e1d4741c0888c

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dll_one_two.dll
Size

922KB
MD5

af7364f14a56ae4234d449ff89a2bb7d
SHA1

ce261d1f31bed80417009fbeb5230be37c34e374
SHA256

a59707803f3d94ed9cb429929c832e9b74ce56071a1c2086949b389539788d8a
SHA512

4c6982a5a11578cdd1b2789628787a8a7f08c86e814dfbe717a1e9cb43060b3f9b888948bdc97bcf207d5dd06398a955cab46f2cfc28761b3be15ef40fbc14de
SSDEEP

12288:2/cSVrVsunK0AtRTxsdzvbFbkag0UvMzK4NWJFgVgU5Sz9duW/Tw6vhWDsghGdQ+:QcS1VTinFBdQx3VcNNWyn2DmYH

Score

1^/10

Malware Config

Signatures

Modifies registry class 11 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\554185f4 = c453aa5630eb4ae1e371325917342171c9d53f0cd3d38376b60f73507d0e0dbaeb608b6383590fd3be20e61afa1c05b8f6b6e360164b775db346d2b99e6f591d15d92af4a216dec5facb0c7cd65b6e29ef9291c5df64921efcaf38a04102515fa4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\ee12e0df = 24fb80dfa86e4e91e0b30de43180c65de97c611ae4f602bef9ee206bc0ff4c0984b78e642c4426f3f4049ea7a6e355516efacffe1329a6763af6184d9e6efba740	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\4b89c358 = e4ac017e5b42d70d493d594abaf499e22ced9a9501073df207dca8435c77c842767dff043d8c053e5fb455c17205ed7432221efa4c5f158a8fb1bf01e5b9724995	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\4a0e9edf = e7b6deea8ea2b85c3242f2cef4416d367c6f46be0d285e26ba7f54a7f7628564b7bc80be0b38d528f33a3092b47ca7179fc12515c34735f010f7d0b79c63b9f3f24234a5c71cc262e442b519fbb1df12ed	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\86a49e41 = 846ca4d6c9f94a25b81afd2ece1a74c9c352091f50224b4147d0b8219545a4a15b4e0ec952dfe5e8ded2531f328f6754c81b837c7e69da9422af750fcdf475e5afa8e3b84f6fea00730b5468e8bcccae4602c462602a2daa6dcd010cb74e696b77aa9ecaccd02b60ed668b34121689c23d1235aff5272c5857d990af5994ca7dd982651ede55416712b3a1c26d44b87ff8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\d08cd689 = e5b28854630b8e90ec249d7b06bf5812343f33a0659f4c8d6ba328ee6b57982d170196384269f41c9b41d124d53436287a9c253dc8217c0fcb85c01daa281245d1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\d10b8b0e = 06f3e907598bf2b69c8a6a00f32d3cb3a96718c65c0747f4570cb7146045f996cc86607afe3fe8a9b08add70c009b84023ec3c6ad886a238f642361816e1a69a7ed433a359919aacfb8b5f82388669fbf7c2063983fcd4aaf51e9505b5ae284d07a0815708b6c7e20b0fdaa65a07711061ca096dfb21e24e23b7807f98024b5b41f2f7d1fa6ad10d6e31d08b503c81130a	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\d10b8b0e = c4b37223e59cdf37f633a39f219e86dd376fcd3165199281c90a92a29f3accfbfb66a63c058f6b245fdaa6d9f7c30c774160242dcd5018fb9c223bf7c85448a2de1cd6d63b4b301fad9dece059f7ae963a31288e2d22c8ab20f4d018263f91a102fdc3efb7ac279a58a8a6ba4b8f54afb9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\8723c3c6 = e712f7b39ed1b0f72c5b2045ff2d9c52aeae6a1303eef4c9ba06311dff474f610ea45cb25b3f13968f9fc39d984c571dfaef181039e081f06d9369bf03c882f31913042da77550df0d412ac36ca9fe469feaa0051335926728361f7e33f46a06cfa15061b90f6eb40007cf4a7dc25a8bdb9e4f3bc4b861c96b1f66d82f50394b5e916836f96931ecee40e6d8797bdabcb09b1106f15b3898aa40e61f9890c5beb54e0ce006c295a68cd70cb96f09b24c9e715b7e122c6a15409aada2558f91dbb54136b876a1ed4e417d65ed9896cf6982	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\kwlruprlanpem\99eb856a = 241edf5bd4d0df5c0e0e35a692c9abddfc5d84ab050467bf3eda9d422b2e49a6fdcdcca30a50cad88d0d93a3c9219fffc9306af2e6b48ad7f0119e962fa233555d33b4f16a88dab1e8f379c0713e2cebc2f48818623fe986dda3f2ea0ecd27bc84	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4292	rundll32.exe
4292	rundll32.exe
4292	rundll32.exe
4292	rundll32.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe
4860	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 4860	4292	rundll32.exe	86
PID 4292 wrote to memory of 4860	4292	rundll32.exe	86
PID 4292 wrote to memory of 4860	4292	rundll32.exe	86
PID 4292 wrote to memory of 4860	4292	rundll32.exe	86
PID 4292 wrote to memory of 4860	4292	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll_one_two.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4292-6-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-0-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-2-0x000001CD89FC0000-0x000001CD89FF0000-memory.dmp

Filesize
192KB

Download
memory/4292-4-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-5-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-7-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-9-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-20-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-1-0x000001CD89F90000-0x000001CD89FBD000-memory.dmp

Filesize
180KB

Download
memory/4292-10-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-11-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-22-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-8-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4292-19-0x000001CD8A020000-0x000001CD8A050000-memory.dmp

Filesize
192KB

Download
memory/4860-13-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-23-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-12-0x00000232A0E80000-0x00000232A0E82000-memory.dmp

Filesize
8KB

Download
memory/4860-21-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-24-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-33-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-34-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-35-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-36-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-37-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download
memory/4860-39-0x00000232A0E50000-0x00000232A0E80000-memory.dmp

Filesize
192KB

Download