e9b8a53a61e348af82b208cd3b04167608e34531c62b6ba0b0ecefaccd74a9b3

Analysis

max time kernel
161s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1ad11f289c2dc0de07f8a28f5a8b1b9.dll
Size

260KB
MD5

a1ad11f289c2dc0de07f8a28f5a8b1b9
SHA1

a79dd7ad9671c67a6e98d59f480c6d829a7d7ac2
SHA256

e9b8a53a61e348af82b208cd3b04167608e34531c62b6ba0b0ecefaccd74a9b3
SHA512

c2e693f32903f52ddea1298927c42d7a77da0d0027de7db9cd4a84165de6ffd4ef49c3a55f895303c0360243dbf98c44c84f0b2cb894d01b21b324601e531f2b
SSDEEP

6144:qyIrp70RRQUMnBk8X4UnqSpO0wsxsX9N6cjmF8:qrrpgvMnS8oUnqSpVwsxA9N6

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Nkajafugahopir = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a1ad11f289c2dc0de07f8a28f5a8b1b9.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3560	rundll32.exe
3560	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3560	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 3560	1040	rundll32.exe	85
PID 1040 wrote to memory of 3560	1040	rundll32.exe	85
PID 1040 wrote to memory of 3560	1040	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1ad11f289c2dc0de07f8a28f5a8b1b9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1ad11f289c2dc0de07f8a28f5a8b1b9.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3560-0-0x0000000002910000-0x0000000002A10000-memory.dmp

Filesize
1024KB

Download
memory/3560-1-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/3560-11-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/3560-12-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/3560-13-0x0000000002910000-0x0000000002A10000-memory.dmp

Filesize
1024KB

Download