0384fa19d2d9ba9fb465790efff98a284161428a513b85739e4a4a8b586f889d

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdd9a393094a9ee6c8f69ff8fbdc8700N.dll
Size

431KB
MD5

bdd9a393094a9ee6c8f69ff8fbdc8700
SHA1

442a89a7f713ceff4596f2559fd499dee19c3228
SHA256

0384fa19d2d9ba9fb465790efff98a284161428a513b85739e4a4a8b586f889d
SHA512

71a65c0f7433050abda372e1c1677b906dd915d02719a61dba72f4d2027cc01ea37cbdea31128a07030cfee4c042908e9800b25f1c227a0981c0b9722abe5937
SSDEEP

12288:IXi0ig1VCpPgYO+TqxeqFcOH72olHki9e:IXivg1VCpZOCqxkOH7TBI

Score

10^/10

discovery upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 26 IoCs

description	pid	Process	procid_target
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5
PID 2400 created 628	2400	rundll32.exe	5

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2400-0-0x0000000010000000-0x0000000010088000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe
Token: SeDebugPrivilege	2400	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 2400	3128	rundll32.exe	93
PID 3128 wrote to memory of 2400	3128	rundll32.exe	93
PID 3128 wrote to memory of 2400	3128	rundll32.exe	93
PID 2400 wrote to memory of 1020	2400	rundll32.exe	94
PID 2400 wrote to memory of 1020	2400	rundll32.exe	94
PID 2400 wrote to memory of 1020	2400	rundll32.exe	94
PID 2400 wrote to memory of 2304	2400	rundll32.exe	95
PID 2400 wrote to memory of 2304	2400	rundll32.exe	95
PID 2400 wrote to memory of 2304	2400	rundll32.exe	95
PID 2400 wrote to memory of 904	2400	rundll32.exe	96
PID 2400 wrote to memory of 904	2400	rundll32.exe	96
PID 2400 wrote to memory of 904	2400	rundll32.exe	96
PID 2400 wrote to memory of 4168	2400	rundll32.exe	97
PID 2400 wrote to memory of 4168	2400	rundll32.exe	97
PID 2400 wrote to memory of 4168	2400	rundll32.exe	97
PID 2400 wrote to memory of 2952	2400	rundll32.exe	98
PID 2400 wrote to memory of 2952	2400	rundll32.exe	98
PID 2400 wrote to memory of 2952	2400	rundll32.exe	98
PID 2400 wrote to memory of 1140	2400	rundll32.exe	99
PID 2400 wrote to memory of 1140	2400	rundll32.exe	99
PID 2400 wrote to memory of 1140	2400	rundll32.exe	99
PID 2400 wrote to memory of 1380	2400	rundll32.exe	100
PID 2400 wrote to memory of 1380	2400	rundll32.exe	100
PID 2400 wrote to memory of 1380	2400	rundll32.exe	100
PID 2400 wrote to memory of 3716	2400	rundll32.exe	101
PID 2400 wrote to memory of 3716	2400	rundll32.exe	101
PID 2400 wrote to memory of 3716	2400	rundll32.exe	101
PID 2400 wrote to memory of 1352	2400	rundll32.exe	102
PID 2400 wrote to memory of 1352	2400	rundll32.exe	102
PID 2400 wrote to memory of 1352	2400	rundll32.exe	102
PID 2400 wrote to memory of 2660	2400	rundll32.exe	103
PID 2400 wrote to memory of 2660	2400	rundll32.exe	103
PID 2400 wrote to memory of 2660	2400	rundll32.exe	103
PID 2400 wrote to memory of 3904	2400	rundll32.exe	104
PID 2400 wrote to memory of 3904	2400	rundll32.exe	104
PID 2400 wrote to memory of 3904	2400	rundll32.exe	104
PID 2400 wrote to memory of 660	2400	rundll32.exe	105
PID 2400 wrote to memory of 660	2400	rundll32.exe	105
PID 2400 wrote to memory of 660	2400	rundll32.exe	105
PID 2400 wrote to memory of 4868	2400	rundll32.exe	106
PID 2400 wrote to memory of 4868	2400	rundll32.exe	106
PID 2400 wrote to memory of 4868	2400	rundll32.exe	106
PID 2400 wrote to memory of 2924	2400	rundll32.exe	107
PID 2400 wrote to memory of 2924	2400	rundll32.exe	107
PID 2400 wrote to memory of 2924	2400	rundll32.exe	107
PID 2400 wrote to memory of 4720	2400	rundll32.exe	108
PID 2400 wrote to memory of 4720	2400	rundll32.exe	108
PID 2400 wrote to memory of 4720	2400	rundll32.exe	108
PID 2400 wrote to memory of 2688	2400	rundll32.exe	109
PID 2400 wrote to memory of 2688	2400	rundll32.exe	109
PID 2400 wrote to memory of 2688	2400	rundll32.exe	109
PID 2400 wrote to memory of 2452	2400	rundll32.exe	110
PID 2400 wrote to memory of 2452	2400	rundll32.exe	110
PID 2400 wrote to memory of 2452	2400	rundll32.exe	110
PID 2400 wrote to memory of 3376	2400	rundll32.exe	111
PID 2400 wrote to memory of 3376	2400	rundll32.exe	111
PID 2400 wrote to memory of 3376	2400	rundll32.exe	111
PID 2400 wrote to memory of 4512	2400	rundll32.exe	112
PID 2400 wrote to memory of 4512	2400	rundll32.exe	112
PID 2400 wrote to memory of 4512	2400	rundll32.exe	112
PID 2400 wrote to memory of 3460	2400	rundll32.exe	113
PID 2400 wrote to memory of 3460	2400	rundll32.exe	113
PID 2400 wrote to memory of 3460	2400	rundll32.exe	113
PID 2400 wrote to memory of 4796	2400	rundll32.exe	114

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:1020
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:2304
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:904
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:4168
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:2952
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:1140
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:1380
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:3716
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:1352
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:2660
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:3904
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:660
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:4868
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:2924
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:4720
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:2688
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:2452
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:3376
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:4512
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:3460
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:4796
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:1340
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:2248
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:5012
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:1760
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:1464

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdd9a393094a9ee6c8f69ff8fbdc8700N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdd9a393094a9ee6c8f69ff8fbdc8700N.dll,#1
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-0-0x0000000010000000-0x0000000010088000-memory.dmp

Filesize
544KB

Download