4b59f4d8cf048879ad018e7d7a6ea97e8defae46c0a7456ebeaf1fb431567158

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/RM0Wndz9UZ.dll
Size

105KB
MD5

7ebeacdb7f1a9baa8daa5853bb0cb3bc
SHA1

7bd394dcd3928e1546c0a3c85bab5c8eceeca197
SHA256

722bf265e4772e7edb0549a221f2bb5b4bc5b85e2f0e569fc0c6694a3d9ca98c
SHA512

16871d9f65e5fba9f7fff245428de560fd6cedc57a500050e5352bc03f6866104cea9d43db280983197772f4c94387da71177e25b20047c13b4be83c60fcc302
SSDEEP

1536:FGXFsIDdPbZErgTizpfhfVXejvR5hiDX5S/rvglzEbXBXAWwiErCV7+tEU:FMFs6ZErgTw4viXM/zuzWXBQuErE6F

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2992	PING.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2924	2548	rundll32.exe	28
PID 2548 wrote to memory of 2924	2548	rundll32.exe	28
PID 2548 wrote to memory of 2924	2548	rundll32.exe	28
PID 2548 wrote to memory of 2924	2548	rundll32.exe	28
PID 2548 wrote to memory of 2924	2548	rundll32.exe	28
PID 2548 wrote to memory of 2924	2548	rundll32.exe	28
PID 2548 wrote to memory of 2924	2548	rundll32.exe	28
PID 2924 wrote to memory of 2796	2924	rundll32.exe	29
PID 2924 wrote to memory of 2796	2924	rundll32.exe	29
PID 2924 wrote to memory of 2796	2924	rundll32.exe	29
PID 2924 wrote to memory of 2796	2924	rundll32.exe	29
PID 2796 wrote to memory of 2992	2796	cmd.exe	31
PID 2796 wrote to memory of 2992	2796	cmd.exe	31
PID 2796 wrote to memory of 2992	2796	cmd.exe	31
PID 2796 wrote to memory of 2992	2796	cmd.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\RM0Wndz9UZ.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\RM0Wndz9UZ.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\$TEMP\RM0Wndz9UZ.dll" >> nul
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-1-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/2924-3-0x00000000001C0000-0x00000000001DD000-memory.dmp

Filesize
116KB

Download
memory/2924-2-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/2924-0-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/2924-4-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download