Resubmissions
17-04-2024 09:04
240417-k1zmzaca81 1017-04-2024 09:02
240417-kzr7haca6x 1017-04-2024 09:02
240417-kzrkzaca6v 1017-04-2024 09:02
240417-kzqzfaae49 1017-04-2024 09:02
240417-kzqcxaae48 1017-04-2024 09:02
240417-kzprdaae46 1016-04-2024 14:04
240416-rdht9sdd9w 10Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
16-04-2024 14:04
Behavioral task
behavioral1
Sample
da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c.dll
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c.dll
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c.dll
Resource
win11-20240412-en
General
-
Target
da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c.dll
-
Size
30KB
-
MD5
b950169921d1437cef4a85778cd81636
-
SHA1
3d20b1c6f93029ab557819efd1f32afc25ac1e88
-
SHA256
da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c
-
SHA512
d0b87c1a119ba712c8b85fcb442286133320ec03df589276106987f2947ebbc603dfabaad7e2efbec4998067ef508f1c12bbc5a54502097665315a7b9ba9cf70
-
SSDEEP
768:Ugj98hSEzIOxO+OZWBaFWsBC7wU6LPLoEf73Wud9BdoJrZmZEMb+:Z0IOxO+OZWBGWsB+w93L39BdoD
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
rundll32.exeflow pid process 1 4932 rundll32.exe 3 4932 rundll32.exe 5 4932 rundll32.exe 6 4932 rundll32.exe 9 4932 rundll32.exe 10 4932 rundll32.exe 11 4932 rundll32.exe 13 4932 rundll32.exe 14 4932 rundll32.exe 16 4932 rundll32.exe 17 4932 rundll32.exe 21 4932 rundll32.exe 22 4932 rundll32.exe 23 4932 rundll32.exe 24 4932 rundll32.exe 27 4932 rundll32.exe 28 4932 rundll32.exe 30 4932 rundll32.exe 31 4932 rundll32.exe 33 4932 rundll32.exe 34 4932 rundll32.exe 36 4932 rundll32.exe 37 4932 rundll32.exe 42 4932 rundll32.exe 43 4932 rundll32.exe 44 4932 rundll32.exe 45 4932 rundll32.exe 48 4932 rundll32.exe 49 4932 rundll32.exe 51 4932 rundll32.exe 52 4932 rundll32.exe 53 4932 rundll32.exe 54 4932 rundll32.exe 57 4932 rundll32.exe 58 4932 rundll32.exe 66 4932 rundll32.exe 67 4932 rundll32.exe 71 4932 rundll32.exe 72 4932 rundll32.exe 74 4932 rundll32.exe 75 4932 rundll32.exe 77 4932 rundll32.exe 78 4932 rundll32.exe 79 4932 rundll32.exe 80 4932 rundll32.exe 83 4932 rundll32.exe 84 4932 rundll32.exe 86 4932 rundll32.exe 87 4932 rundll32.exe 89 4932 rundll32.exe 90 4932 rundll32.exe 92 4932 rundll32.exe 93 4932 rundll32.exe 95 4932 rundll32.exe 96 4932 rundll32.exe 97 4932 rundll32.exe 98 4932 rundll32.exe 101 4932 rundll32.exe 102 4932 rundll32.exe 104 4932 rundll32.exe 105 4932 rundll32.exe 110 4932 rundll32.exe 111 4932 rundll32.exe 112 4932 rundll32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4196 wrote to memory of 4932 4196 rundll32.exe rundll32.exe PID 4196 wrote to memory of 4932 4196 rundll32.exe rundll32.exe PID 4196 wrote to memory of 4932 4196 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da6a04e55e07cfd3c541c340e945c4dad38ac8d414d38dadd3f406f9c954652c.dll,#12⤵
- Blocklisted process makes network request