Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 13:14
Behavioral task
behavioral1
Sample
c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll
Resource
win7-20240221-en
General
-
Target
c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll
-
Size
160KB
-
MD5
9fea68d8b8c8d4f6d38a7905e32fc2ad
-
SHA1
153c9a3b5d58e9d50053cf0dee4a4bb0fd955541
-
SHA256
c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99
-
SHA512
cbe50aa0a2b7ef943860d1161337888bfba19fe999a7b01635909e66103dbe3f3df5be033ee35c7169471ed6ec77c0e69e88d59e70586f6d95b12c1f8166af78
-
SSDEEP
3072:A4j1QF83uXAn5HgDr6CAU2tJF3F0tGML9q:A4j108jlIrHAtFrM
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 4 4356 rundll32.exe 18 4356 rundll32.exe 20 4356 rundll32.exe 22 4356 rundll32.exe -
Runs .reg file with regedit 1 IoCs
pid Process 1672 regedit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1156 wrote to memory of 4356 1156 rundll32.exe 83 PID 1156 wrote to memory of 4356 1156 rundll32.exe 83 PID 1156 wrote to memory of 4356 1156 rundll32.exe 83 PID 4356 wrote to memory of 628 4356 rundll32.exe 87 PID 4356 wrote to memory of 628 4356 rundll32.exe 87 PID 4356 wrote to memory of 628 4356 rundll32.exe 87 PID 628 wrote to memory of 1672 628 cmd.exe 89 PID 628 wrote to memory of 1672 628 cmd.exe 89 PID 628 wrote to memory of 1672 628 cmd.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c43a0c18a6575bacb930ab6d076e470bee4877dfb6fe6a8d1b72e579f528dd99.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\cmd.execmd /C regedit /s Uac.reg3⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\regedit.exeregedit /s Uac.reg4⤵
- UAC bypass
- Runs .reg file with regedit
PID:1672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245B
MD53259410b95978a44d4a95a1d1815cc6d
SHA126d3928a81f9d754c7991673c6b856652ce38f98
SHA256182d0025f616b82d52f824e52ec21f6f75cb3cba3e31b0f27c1f8d1a6d5aa7b5
SHA51244b7fdec8e4346901cc73927536b9841489b16e1faf4a25e17bb620195b4d0f841c7a5746b4f7a37fc91b7b9606abcb61b662b5732935472064b5eab31ce300b