Overview

overview

10

Static

static

10

7a77dec7a2...19.dll

windows7-x64

8

7a77dec7a2...19.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 00:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a77dec7a2a6cd2769e82ea0fd053881853c0f7612e605c41758952629740c19.dll

  • Size

    80KB

  • MD5

    b07174fc391992f4bd743300a0fe745b

  • SHA1

    8abfbd6137e367e13bc1a48210188dfbb7d46604

  • SHA256

    7a77dec7a2a6cd2769e82ea0fd053881853c0f7612e605c41758952629740c19

  • SHA512

    028cfc33a66ea62cf9c3b7731146e97f7042f20224bed9a922ef97b5546d4a2f6f06a62f184da51c042d462fcaa5085de0defc3dea47e3efda6dd60e83d60ea7

  • SSDEEP

    1536:5POOhfbOjovgdVydUgoNrwBZXGDaZ1QIxrfItMgR7ZaO+fGxHZPEMLS:5dbwovEVyqgoZmZXWfIdQdRaefPhLS

Score
8/10
discoverypersistenceprivilege_escalationupx

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery 1 TTPs 9 IoCs

    Attempt to gather information on host's network.

    discovery
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a77dec7a2a6cd2769e82ea0fd053881853c0f7612e605c41758952629740c19.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a77dec7a2a6cd2769e82ea0fd053881853c0f7612e605c41758952629740c19.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\arp.exe
        arp -a
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        PID:2700
      • C:\Windows\SysWOW64\arp.exe
        arp -s 10.127.0.1 44-b2-5f-fe-8a-b9
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Windows\SysWOW64\arp.exe
        arp -s 10.127.255.255 20-be-ad-0c-57-1c
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\SysWOW64\arp.exe
        arp -s 37.27.61.180 84-fa-5a-47-a7-eb
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
      • C:\Windows\SysWOW64\arp.exe
        arp -s 224.0.0.22 24-d1-27-5c-7f-d5
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
      • C:\Windows\SysWOW64\arp.exe
        arp -s 224.0.0.251 b1-8b-7b-c5-65-e6
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2092
      • C:\Windows\SysWOW64\arp.exe
        arp -s 224.0.0.252 06-10-f9-17-1d-6d
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Windows\SysWOW64\arp.exe
        arp -s 239.255.255.250 bc-3a-e1-10-cb-21
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Windows\SysWOW64\arp.exe
        arp -s 255.255.255.255 c2-77-0a-6b-87-c1
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2812
      • C:\Windows\SysWOW64\arp.exe
        arp -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2092-17-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2092-10-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2108-12-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2108-22-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2580-28-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2580-11-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2592-30-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2592-14-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-9-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-25-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2700-4-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2700-6-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2764-32-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2764-3-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2764-0-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2764-45-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2764-44-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2764-1-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2764-41-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2764-2-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2772-18-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2772-7-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2776-36-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2776-34-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2812-13-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2812-26-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2840-20-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2840-8-0x0000000010000000-0x0000000010033000-memory.dmp

    Filesize

    204KB

    Download