Overview

overview

8

Static

static

7

de4773f306...7e.dll

windows7-x64

8

de4773f306...7e.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 14:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    de4773f30616c5683f88a1b19439a27e.dll

  • Size

    452KB

  • MD5

    de4773f30616c5683f88a1b19439a27e

  • SHA1

    8b2af25ff00674dffa1b82cef490b5b4b2ee1c6a

  • SHA256

    3510acfd881aad5a740a933a96458f9147722b184c9970edfb86fc34a9bfe7ef

  • SHA512

    6fa9147c3f41f5d6481cb501aeb76e528ef6ad6104fc559080e227c14b0f9c467af4fefe693fa09f52faf8dba5920fdef75f1d3688008d8bede6bbf804d0f45c

  • SSDEEP

    12288:CLgUAsuFz4B3Nd6ykj49cemR9yl3rx7KY:c3nE+3iyXcemRMhx7

Score
8/10
evasionpersistencethemida

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Themida packer 29 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\de4773f30616c5683f88a1b19439a27e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\de4773f30616c5683f88a1b19439a27e.dll,#1
      2⤵
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Windows\system32\sdfdfsd34.exe,start
        3⤵
        • Blocklisted process makes network request
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:2608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uninstall.bat" "
        3⤵
        • Deletes itself
        PID:568

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\uninstall.bat
          Filesize

          238B

          MD5

          9495e3d21811320ddf078ec7f084c0ec

          SHA1

          a34770370c2248b27bf1af3f3cb8f27d16117336

          SHA256

          23307d859e39a1f307ceba969c00c451d1993983f6aa360a0909530521aebfab

          SHA512

          b7787ba1a9c4b292f176ac73b64c5b6c06d5c76e0577ccb369ae6f38c1ec0ee77b2654a177821841d3f6bb28bccd50f4b04036ce146484d4d1655b64e15813e9

          Download Submit

        • C:\Windows\SysWOW64\sdfdfsd34.exe
          Filesize

          452KB

          MD5

          de4773f30616c5683f88a1b19439a27e

          SHA1

          8b2af25ff00674dffa1b82cef490b5b4b2ee1c6a

          SHA256

          3510acfd881aad5a740a933a96458f9147722b184c9970edfb86fc34a9bfe7ef

          SHA512

          6fa9147c3f41f5d6481cb501aeb76e528ef6ad6104fc559080e227c14b0f9c467af4fefe693fa09f52faf8dba5920fdef75f1d3688008d8bede6bbf804d0f45c

          Download Submit

        • memory/2608-29-0x0000000000820000-0x0000000000822000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2608-33-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-61-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-59-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-57-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-55-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-15-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-16-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-17-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-19-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-18-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-53-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-51-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-49-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-47-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-31-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2608-45-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-34-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-32-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-36-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-37-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-39-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-41-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-43-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2720-3-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2720-0-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2720-28-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2720-27-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2720-1-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2720-2-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2720-7-0x0000000000480000-0x0000000000481000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2720-8-0x0000000000B00000-0x0000000000B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2720-4-0x0000000010000000-0x0000000010127000-memory.dmp

          Filesize

          1.2MB

          Download