Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 13:14
Behavioral task
behavioral1
Sample
c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll
Resource
win7-20240221-en
General
-
Target
c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll
-
Size
160KB
-
MD5
9fea68d8b8c8d4f6d38a7905e32fc2ad
-
SHA1
153c9a3b5d58e9d50053cf0dee4a4bb0fd955541
-
SHA256
c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99
-
SHA512
cbe50aa0a2b7ef943860d1161337888bfba19fe999a7b01635909e66103dbe3f3df5be033ee35c7169471ed6ec77c0e69e88d59e70586f6d95b12c1f8166af78
-
SSDEEP
3072:A4j1QF83uXAn5HgDr6CAU2tJF3F0tGML9q:A4j108jlIrHAtFrM
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe -
Blocklisted process makes network request 10 IoCs
flow pid Process 2 2184 rundll32.exe 4 2184 rundll32.exe 5 2184 rundll32.exe 6 2184 rundll32.exe 7 2184 rundll32.exe 8 2184 rundll32.exe 9 2184 rundll32.exe 10 2184 rundll32.exe 11 2184 rundll32.exe 12 2184 rundll32.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2316 regedit.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2184 2008 rundll32.exe 28 PID 2008 wrote to memory of 2184 2008 rundll32.exe 28 PID 2008 wrote to memory of 2184 2008 rundll32.exe 28 PID 2008 wrote to memory of 2184 2008 rundll32.exe 28 PID 2008 wrote to memory of 2184 2008 rundll32.exe 28 PID 2008 wrote to memory of 2184 2008 rundll32.exe 28 PID 2008 wrote to memory of 2184 2008 rundll32.exe 28 PID 2184 wrote to memory of 2216 2184 rundll32.exe 29 PID 2184 wrote to memory of 2216 2184 rundll32.exe 29 PID 2184 wrote to memory of 2216 2184 rundll32.exe 29 PID 2184 wrote to memory of 2216 2184 rundll32.exe 29 PID 2216 wrote to memory of 2316 2216 cmd.exe 31 PID 2216 wrote to memory of 2316 2216 cmd.exe 31 PID 2216 wrote to memory of 2316 2216 cmd.exe 31 PID 2216 wrote to memory of 2316 2216 cmd.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.execmd /C regedit /s Uac.reg3⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\regedit.exeregedit /s Uac.reg4⤵
- UAC bypass
- Runs .reg file with regedit
PID:2316
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245B
MD53259410b95978a44d4a95a1d1815cc6d
SHA126d3928a81f9d754c7991673c6b856652ce38f98
SHA256182d0025f616b82d52f824e52ec21f6f75cb3cba3e31b0f27c1f8d1a6d5aa7b5
SHA51244b7fdec8e4346901cc73927536b9841489b16e1faf4a25e17bb620195b4d0f841c7a5746b4f7a37fc91b7b9606abcb61b662b5732935472064b5eab31ce300b