dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66

Analysis

max time kernel
113s
max time network
77s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66.dll
Size

80KB
MD5

5e1d0bee95b9cfbc68ea9ad33d83dd5c
SHA1

4d35b3c376b35baac236bd94e20d0ad0344654f7
SHA256

dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66
SHA512

bbd86da8573e452ca31189bf5896db594ea0315e8d3d26bbc9ec5ee4241e0e197de174ab6a91106f004b4cd9bbc5349de04a94d33df72ed21f738b79bd6f5114
SSDEEP

1536:uIcs6msUvrh8ErMInQ+4cw9NVWfjaRkE4LEl8B60Y2lfxxHZPEX:dcs6v68Erj3w9zWf+SEFuk0/pfP6

Score

8^/10

discovery upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2368	rundll32.exe
8	2368	rundll32.exe
9	2368	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	rundll32.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2544	arp.exe
2216	arp.exe
2700	arp.exe
2204	arp.exe
1308	arp.exe
2148	arp.exe
2416	arp.exe
2548	arp.exe
2176	arp.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-2-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2368-1-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2368-5-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2368-6-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2368-7-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2368-13-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2368-15-0x0000000010000000-0x0000000010033000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	rundll32.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2368	2252	rundll32.exe	30
PID 2252 wrote to memory of 2368	2252	rundll32.exe	30
PID 2252 wrote to memory of 2368	2252	rundll32.exe	30
PID 2252 wrote to memory of 2368	2252	rundll32.exe	30
PID 2252 wrote to memory of 2368	2252	rundll32.exe	30
PID 2252 wrote to memory of 2368	2252	rundll32.exe	30
PID 2252 wrote to memory of 2368	2252	rundll32.exe	30
PID 2368 wrote to memory of 1308	2368	rundll32.exe	31
PID 2368 wrote to memory of 1308	2368	rundll32.exe	31
PID 2368 wrote to memory of 1308	2368	rundll32.exe	31
PID 2368 wrote to memory of 1308	2368	rundll32.exe	31
PID 2368 wrote to memory of 2148	2368	rundll32.exe	33
PID 2368 wrote to memory of 2148	2368	rundll32.exe	33
PID 2368 wrote to memory of 2148	2368	rundll32.exe	33
PID 2368 wrote to memory of 2148	2368	rundll32.exe	33
PID 2368 wrote to memory of 2416	2368	rundll32.exe	34
PID 2368 wrote to memory of 2416	2368	rundll32.exe	34
PID 2368 wrote to memory of 2416	2368	rundll32.exe	34
PID 2368 wrote to memory of 2416	2368	rundll32.exe	34
PID 2368 wrote to memory of 2548	2368	rundll32.exe	35
PID 2368 wrote to memory of 2548	2368	rundll32.exe	35
PID 2368 wrote to memory of 2548	2368	rundll32.exe	35
PID 2368 wrote to memory of 2548	2368	rundll32.exe	35
PID 2368 wrote to memory of 2544	2368	rundll32.exe	36
PID 2368 wrote to memory of 2544	2368	rundll32.exe	36
PID 2368 wrote to memory of 2544	2368	rundll32.exe	36
PID 2368 wrote to memory of 2544	2368	rundll32.exe	36
PID 2368 wrote to memory of 2176	2368	rundll32.exe	38
PID 2368 wrote to memory of 2176	2368	rundll32.exe	38
PID 2368 wrote to memory of 2176	2368	rundll32.exe	38
PID 2368 wrote to memory of 2176	2368	rundll32.exe	38
PID 2368 wrote to memory of 2216	2368	rundll32.exe	40
PID 2368 wrote to memory of 2216	2368	rundll32.exe	40
PID 2368 wrote to memory of 2216	2368	rundll32.exe	40
PID 2368 wrote to memory of 2216	2368	rundll32.exe	40
PID 2368 wrote to memory of 2700	2368	rundll32.exe	41
PID 2368 wrote to memory of 2700	2368	rundll32.exe	41
PID 2368 wrote to memory of 2700	2368	rundll32.exe	41
PID 2368 wrote to memory of 2700	2368	rundll32.exe	41
PID 2368 wrote to memory of 2204	2368	rundll32.exe	43
PID 2368 wrote to memory of 2204	2368	rundll32.exe	43
PID 2368 wrote to memory of 2204	2368	rundll32.exe	43
PID 2368 wrote to memory of 2204	2368	rundll32.exe	43
PID 2368 wrote to memory of 2400	2368	rundll32.exe	50
PID 2368 wrote to memory of 2400	2368	rundll32.exe	50
PID 2368 wrote to memory of 2400	2368	rundll32.exe	50
PID 2368 wrote to memory of 2400	2368	rundll32.exe	50

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1308
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 a0-02-a7-30-92-df
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 90-cd-73-0d-1d-e7
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2416
- - C:\Windows\SysWOW64\arp.exe
    arp -s 136.243.76.21 2a-0a-52-b6-c9-88
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 72-6d-cc-f2-c9-1b
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 1c-44-26-a9-b3-58
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2176
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 30-ca-1c-1d-9c-2d
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 09-a2-e2-1a-85-64
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 cb-dd-a2-9e-a2-13
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2204
- - C:\Windows\SysWOW64\arp.exe
    arp -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2368-0-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2368-2-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2368-1-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2368-5-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2368-6-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2368-7-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2368-13-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2368-15-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download