50c4d719a0f349e9bb228a7ec41dd2a0dbb97787d725463db5e7ad7710a06cef

Analysis

max time kernel
141s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 21:38

Target

VirusShare_410c346eaa782ef84f1cbde42f9bef72.dll
Size

93KB
MD5

410c346eaa782ef84f1cbde42f9bef72
SHA1

c6b37d5f49407538f9f3f19cc7cf3396db9752ae
SHA256

50c4d719a0f349e9bb228a7ec41dd2a0dbb97787d725463db5e7ad7710a06cef
SHA512

70c38d3cc3d77449db6da10165a49a028272a9c7572bd238bbc84afba50e756888fa97703982a99422c0c77271eed281d7dc7b972cd3f88488af8222db0d5506
SSDEEP

1536:g5hlPnwfUfIoCJNcm1GXE2PZfHfEd3MZPTdaJC0RY00PxCTKRJIT:g5LkUfIoCjcm1IEaZfa6PTdD+j0PxlR

Score

7^/10

discovery upx

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4444-1-0x000000000B000000-0x000000000B024000-memory.dmp	upx
behavioral2/memory/4444-4-0x000000000B000000-0x000000000B024000-memory.dmp	upx
behavioral2/memory/4444-6-0x000000000B000000-0x000000000B024000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\627B5BFC167A2CD0A910DC6A111543C0\6jzwqm3jr.cpp	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	rundll32.exe
4444	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4444	4472	rundll32.exe	81
PID 4472 wrote to memory of 4444	4472	rundll32.exe	81
PID 4472 wrote to memory of 4444	4472	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_410c346eaa782ef84f1cbde42f9bef72.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_410c346eaa782ef84f1cbde42f9bef72.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4444

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/4444-0-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/4444-1-0x000000000B000000-0x000000000B024000-memory.dmp

Filesize
144KB

Download
memory/4444-3-0x000000000B016000-0x000000000B023000-memory.dmp

Filesize
52KB

Download
memory/4444-4-0x000000000B000000-0x000000000B024000-memory.dmp

Filesize
144KB

Download
memory/4444-6-0x000000000B000000-0x000000000B024000-memory.dmp

Filesize
144KB

Download
memory/4444-8-0x000000000B016000-0x000000000B023000-memory.dmp

Filesize
52KB

Download