dc3551221e7ac882cb4a2ffe5b99844aa9d00fe43c68b9b096f23dd065827e20

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc3551221e7ac882cb4a2ffe5b99844aa9d00fe43c68b9b096f23dd065827e20.dll
Size

844KB
MD5

36ce03c368b406e78ac78a59a1727b37
SHA1

9a040c2d564898d0e4f617ff15a95e2d5bd9dc2d
SHA256

dc3551221e7ac882cb4a2ffe5b99844aa9d00fe43c68b9b096f23dd065827e20
SHA512

34e507cb618e817afbf165ecc519fbc64ffbf3d47d61c583413d62192dcd15dadb55dc1492e6075ab7952d48ec7727f84e708d611dab87a87107e35a2d73294c
SSDEEP

6144:CGp1PfKtOxX3p8B8CLfYnwexXKIhXGxKOftYiUAc/UqFUmCQeewQeeeQeesQeeXW:CGfVLmfYnw2XFkgpHcQS1vnCKC4f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	2852	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	rundll32.exe
Token: SeDebugPrivilege	2852	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2852	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2852	2200	rundll32.exe	28
PID 2200 wrote to memory of 2852	2200	rundll32.exe	28
PID 2200 wrote to memory of 2852	2200	rundll32.exe	28
PID 2200 wrote to memory of 2852	2200	rundll32.exe	28
PID 2200 wrote to memory of 2852	2200	rundll32.exe	28
PID 2200 wrote to memory of 2852	2200	rundll32.exe	28
PID 2200 wrote to memory of 2852	2200	rundll32.exe	28
PID 2852 wrote to memory of 2760	2852	rundll32.exe	29
PID 2852 wrote to memory of 2760	2852	rundll32.exe	29
PID 2852 wrote to memory of 2760	2852	rundll32.exe	29
PID 2852 wrote to memory of 2760	2852	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc3551221e7ac882cb4a2ffe5b99844aa9d00fe43c68b9b096f23dd065827e20.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc3551221e7ac882cb4a2ffe5b99844aa9d00fe43c68b9b096f23dd065827e20.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 528
    3⤵
    - Program crash
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

Filesize
110B

MD5
7c8c531ff6a158742da186b1fad6e00e

SHA1
98d4551e0d6ac034838a17437640f3335edfaa86

SHA256
00ddbc71282fdbf74b8a02cc75b2c3d66529fe7664c148cc0ca79576a883c501

SHA512
1788173da6e9cf7e5421c02854ca9122d0825927f33fc64bafb76377ee80c0e1a8112c36ee40b1cbce86e121f864777e8ddf9aecd282f3cc82b70e12cc904805

Download Submit
C:\Users\Admin\Favorites\Íâ¹Ò×÷·»×ÊÔ´Õ¾ [42724920.ys168.com].url

Filesize
115B

MD5
3c12b619f5b9575ba2944b7ca4678929

SHA1
fa6792387198c2d93de2619059efc5206341198d

SHA256
add35880f84004b1422166fe432267249036168ddcf0185481769021980b300a

SHA512
d1e370e03affc9acfa770edc5959bc8009d15d026e4f4cd45314c8e213e371b765828f7a4921169c62c6848dcdbda38311620f4b7af922479b923a6ef12a355d

Download Submit