5a5f13d201e227857558c902ec71da7810514cdc3c10a908b9dd2aeea7db7844

Analysis

max time kernel
106s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 02:41

Target

5a5f13d201e227857558c902ec71da7810514cdc3c10a908b9dd2aeea7db7844.dll
Size

137KB
MD5

6bb8264813d9675d10eddd7a04ae8b68
SHA1

158f34b4e145839e790cbe55b75deded67d78057
SHA256

5a5f13d201e227857558c902ec71da7810514cdc3c10a908b9dd2aeea7db7844
SHA512

76f7bda14c3ba324b03cab0844389c87dc001403cd41a88ee7b01fee4c1feed716d5dbcfd6d1744b1154aa97c5151c4b85e21a8b3c90a9fa4072a7378c57d7d9
SSDEEP

3072:BR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuY:M25GgFny61mra6

Score

8^/10

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

Port Monitors

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "Spoolsv.exe" rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\com\comb.dll rundll32.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\AppPatch\ComBack.Dll rundll32.exe
File created C:\Windows\AppPatch\ComBack.Dll rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2552 2340 WerFault.exe rundll32.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe
File created	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe

pid	pid_target	process	target process
2552	2340	WerFault.exe	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1116 wrote to memory of 2340	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 2340	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 2340	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 2340	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 2340	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 2340	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 2340	1116	rundll32.exe	rundll32.exe
PID 2340 wrote to memory of 2552	2340	rundll32.exe	WerFault.exe
PID 2340 wrote to memory of 2552	2340	rundll32.exe	WerFault.exe
PID 2340 wrote to memory of 2552	2340	rundll32.exe	WerFault.exe
PID 2340 wrote to memory of 2552	2340	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a5f13d201e227857558c902ec71da7810514cdc3c10a908b9dd2aeea7db7844.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a5f13d201e227857558c902ec71da7810514cdc3c10a908b9dd2aeea7db7844.dll,#1
  2⤵
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 232
    3⤵
    - Program crash
    PID:2552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2016