22e7d33871e338db816bc084a5e00f698605ad04a6747dcedf0cc128d4bc6a94

Analysis

max time kernel
102s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

668334ded8871db5e57db0887091c430N.dll
Size

34KB
MD5

668334ded8871db5e57db0887091c430
SHA1

f6612af7ad623ceecd95b9091561842605f105af
SHA256

22e7d33871e338db816bc084a5e00f698605ad04a6747dcedf0cc128d4bc6a94
SHA512

d2afb1a0c3fb9b89a97491e79d353c9bd67454ff3a2c93dbedb0b1be84a9397886fb176b2fe41a9dcb530f5a1c492ba8c25120ce3f99fc9858b2c2bf7d70a298
SSDEEP

768:3cabpaZ2F2hEyC8Fk7M4Pqrjbbacl6LqUqijvJnPglgSI3pjrRQoX+KvSonW:3LbU4F2hbNFsbPkjXacVYvJnYlgSOhr8

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sysprep\Panther\IE\diagerr.xml	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\Panther\IE\diagwrn.xml	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\Panther\IE\setupact.log	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\Panther\IE\setuperr.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration	rundll32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	232	rundll32.exe
Token: SeRestorePrivilege	232	rundll32.exe
Token: SeRestorePrivilege	232	rundll32.exe
Token: SeSecurityPrivilege	232	rundll32.exe
Token: SeSecurityPrivilege	232	rundll32.exe
Token: SeSecurityPrivilege	232	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 232	1588	rundll32.exe	84
PID 1588 wrote to memory of 232	1588	rundll32.exe	84
PID 1588 wrote to memory of 232	1588	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\668334ded8871db5e57db0887091c430N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\668334ded8871db5e57db0887091c430N.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/232-0-0x0000000074F20000-0x0000000074F50000-memory.dmp

Filesize
192KB

Download