b59cbd494a290e3c98db577558c97071d2667ad414e77495e56132c4c5b81313

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b59cbd494a290e3c98db577558c97071d2667ad414e77495e56132c4c5b81313.dll
Size

1.2MB
MD5

90d243c55b44d692897e5e9a2e786f65
SHA1

e3ca89e1c158fca20de36914aff848f655063d40
SHA256

b59cbd494a290e3c98db577558c97071d2667ad414e77495e56132c4c5b81313
SHA512

7fdf1399445dc688eabb122e66446aa4c20cedd82e79cd26d57c37fc7c19a2fc34038ba6c32452284761324c72bfa6d198bedc5ca1a187d3a0d61f3fed999033
SSDEEP

24576:BDqyY98fMerZKXCrhslbcs1sxNjjYEij+jsLJ/3/3FeOhoA6n4SDuuDChB:dxY98kerZD24siLd4J/3/s4ZSvDC

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2164	rundll32.exe
5	2164	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
320	f77f2b8.exe

Loads dropped DLL 9 IoCs

pid	Process
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2076	320	WerFault.exe	33

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2164 wrote to memory of 320	2164	rundll32.exe	33
PID 2164 wrote to memory of 320	2164	rundll32.exe	33
PID 2164 wrote to memory of 320	2164	rundll32.exe	33
PID 2164 wrote to memory of 320	2164	rundll32.exe	33
PID 320 wrote to memory of 2076	320	f77f2b8.exe	34
PID 320 wrote to memory of 2076	320	f77f2b8.exe	34
PID 320 wrote to memory of 2076	320	f77f2b8.exe	34
PID 320 wrote to memory of 2076	320	f77f2b8.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b59cbd494a290e3c98db577558c97071d2667ad414e77495e56132c4c5b81313.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b59cbd494a290e3c98db577558c97071d2667ad414e77495e56132c4c5b81313.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\f77f2b8.exe
    "C:\Users\Admin\AppData\Local\Temp\f77f2b8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 532
      4⤵
      Loads dropped DLL
      Program crash
      PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\f77f2b8.exe

Filesize
11KB

MD5
620bda3df817bff8deb38758d1dc668c

SHA1
9933523941851b42047f2b7a1324eb8daa8fb1ff

SHA256
b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3

SHA512
bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

Download Submit
memory/320-39-0x00000000722F0000-0x00000000729DE000-memory.dmp

Filesize
6.9MB

Download
memory/320-33-0x00000000722F0000-0x00000000729DE000-memory.dmp

Filesize
6.9MB

Download
memory/320-32-0x00000000011D0000-0x00000000011D8000-memory.dmp

Filesize
32KB

Download
memory/2164-9-0x0000000002130000-0x0000000002B6E000-memory.dmp

Filesize
10.2MB

Download
memory/2164-14-0x0000000002060000-0x00000000020EE000-memory.dmp

Filesize
568KB

Download
memory/2164-7-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download
memory/2164-8-0x00000000003F0000-0x000000000048C000-memory.dmp

Filesize
624KB

Download
memory/2164-0-0x0000000010000000-0x0000000010137000-memory.dmp

Filesize
1.2MB

Download
memory/2164-10-0x0000000001FC0000-0x0000000002055000-memory.dmp

Filesize
596KB

Download
memory/2164-11-0x0000000002060000-0x00000000020EE000-memory.dmp

Filesize
568KB

Download
memory/2164-6-0x00000000003F0000-0x000000000048C000-memory.dmp

Filesize
624KB

Download
memory/2164-15-0x0000000000050000-0x0000000000053000-memory.dmp

Filesize
12KB

Download
memory/2164-16-0x0000000000060000-0x0000000000065000-memory.dmp

Filesize
20KB

Download
memory/2164-4-0x00000000003F0000-0x000000000048C000-memory.dmp

Filesize
624KB

Download
memory/2164-3-0x00000000003F0000-0x000000000048C000-memory.dmp

Filesize
624KB

Download
memory/2164-2-0x0000000000250000-0x0000000000300000-memory.dmp

Filesize
704KB

Download
memory/2164-1-0x0000000010000000-0x00000000100B7000-memory.dmp

Filesize
732KB

Download