acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7

Analysis

max time kernel
457s
max time network
458s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03-05-2024 16:58

Target

acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7.dll
Size

446KB
MD5

ea5a4c15ba2b29c65462cb24e0025644
SHA1

22c9dd7a1f679a1fa24518da4c36f908071e2597
SHA256

acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7
SHA512

35d4ab13a3026ca3d435eddf6089229180fbba3bcb5c619b2a7dda82a411573acea23488910e3e648dae9a99f7966094600ef69fa7ba19b4a680deb31c1de4e6
SSDEEP

12288:dtcLP7XVZpyrO+2ufEFoOrm0u9F+dAHQ8KsRh:dtcD7rpyrO+Beta+dAwbG

Score

8^/10

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

2 3712 rundll32.exe
4 3712 rundll32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org

flow	pid	process
2	3712	rundll32.exe
4	3712	rundll32.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2444 wrote to memory of 3712	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 3712	2444	rundll32.exe	rundll32.exe
PID 2444 wrote to memory of 3712	2444	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\acf1dcddc30b4aed73f9216539bb1974f7e9b8c25857184afc74764da1b64cc7.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:3712