acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7

Analysis

max time kernel
510s
max time network
558s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-05-2024 16:58

Target

acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7.dll
Size

446KB
MD5

ea5a4c15ba2b29c65462cb24e0025644
SHA1

22c9dd7a1f679a1fa24518da4c36f908071e2597
SHA256

acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7
SHA512

35d4ab13a3026ca3d435eddf6089229180fbba3bcb5c619b2a7dda82a411573acea23488910e3e648dae9a99f7966094600ef69fa7ba19b4a680deb31c1de4e6
SSDEEP

12288:dtcLP7XVZpyrO+2ufEFoOrm0u9F+dAHQ8KsRh:dtcD7rpyrO+Beta+dAwbG

Score

8^/10

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

2 3920 rundll32.exe
5 3920 rundll32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
1 api.ipify.org

flow	pid	process
2	3920	rundll32.exe
5	3920	rundll32.exe

flow	ioc
2	api.ipify.org
1	api.ipify.org

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4904 wrote to memory of 3920	4904	rundll32.exe	rundll32.exe
PID 4904 wrote to memory of 3920	4904	rundll32.exe	rundll32.exe
PID 4904 wrote to memory of 3920	4904	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3920