dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66.dll
Size

80KB
MD5

5e1d0bee95b9cfbc68ea9ad33d83dd5c
SHA1

4d35b3c376b35baac236bd94e20d0ad0344654f7
SHA256

dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66
SHA512

bbd86da8573e452ca31189bf5896db594ea0315e8d3d26bbc9ec5ee4241e0e197de174ab6a91106f004b4cd9bbc5349de04a94d33df72ed21f738b79bd6f5114
SSDEEP

1536:uIcs6msUvrh8ErMInQ+4cw9NVWfjaRkE4LEl8B60Y2lfxxHZPEX:dcs6v68Erj3w9zWf+SEFuk0/pfP6

Score

8^/10

discovery upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2024	rundll32.exe
8	2024	rundll32.exe
9	2024	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	rundll32.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2488	arp.exe
2840	arp.exe
1984	arp.exe
804	arp.exe
2224	arp.exe
2220	arp.exe
2236	arp.exe
2232	arp.exe
1732	arp.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-2-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2024-1-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2024-0-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2024-5-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2024-6-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2024-7-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2024-13-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2024-15-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2024-21-0x0000000010000000-0x0000000010033000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2024	rundll32.exe
2024	rundll32.exe
2024	rundll32.exe
2024	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	rundll32.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2024	1100	rundll32.exe	28
PID 1100 wrote to memory of 2024	1100	rundll32.exe	28
PID 1100 wrote to memory of 2024	1100	rundll32.exe	28
PID 1100 wrote to memory of 2024	1100	rundll32.exe	28
PID 1100 wrote to memory of 2024	1100	rundll32.exe	28
PID 1100 wrote to memory of 2024	1100	rundll32.exe	28
PID 1100 wrote to memory of 2024	1100	rundll32.exe	28
PID 2024 wrote to memory of 2488	2024	rundll32.exe	29
PID 2024 wrote to memory of 2488	2024	rundll32.exe	29
PID 2024 wrote to memory of 2488	2024	rundll32.exe	29
PID 2024 wrote to memory of 2488	2024	rundll32.exe	29
PID 2024 wrote to memory of 2840	2024	rundll32.exe	31
PID 2024 wrote to memory of 2840	2024	rundll32.exe	31
PID 2024 wrote to memory of 2840	2024	rundll32.exe	31
PID 2024 wrote to memory of 2840	2024	rundll32.exe	31
PID 2024 wrote to memory of 1984	2024	rundll32.exe	32
PID 2024 wrote to memory of 1984	2024	rundll32.exe	32
PID 2024 wrote to memory of 1984	2024	rundll32.exe	32
PID 2024 wrote to memory of 1984	2024	rundll32.exe	32
PID 2024 wrote to memory of 2224	2024	rundll32.exe	33
PID 2024 wrote to memory of 2224	2024	rundll32.exe	33
PID 2024 wrote to memory of 2224	2024	rundll32.exe	33
PID 2024 wrote to memory of 2224	2024	rundll32.exe	33
PID 2024 wrote to memory of 2220	2024	rundll32.exe	35
PID 2024 wrote to memory of 2220	2024	rundll32.exe	35
PID 2024 wrote to memory of 2220	2024	rundll32.exe	35
PID 2024 wrote to memory of 2220	2024	rundll32.exe	35
PID 2024 wrote to memory of 2236	2024	rundll32.exe	36
PID 2024 wrote to memory of 2236	2024	rundll32.exe	36
PID 2024 wrote to memory of 2236	2024	rundll32.exe	36
PID 2024 wrote to memory of 2236	2024	rundll32.exe	36
PID 2024 wrote to memory of 2232	2024	rundll32.exe	37
PID 2024 wrote to memory of 2232	2024	rundll32.exe	37
PID 2024 wrote to memory of 2232	2024	rundll32.exe	37
PID 2024 wrote to memory of 2232	2024	rundll32.exe	37
PID 2024 wrote to memory of 1732	2024	rundll32.exe	38
PID 2024 wrote to memory of 1732	2024	rundll32.exe	38
PID 2024 wrote to memory of 1732	2024	rundll32.exe	38
PID 2024 wrote to memory of 1732	2024	rundll32.exe	38
PID 2024 wrote to memory of 804	2024	rundll32.exe	39
PID 2024 wrote to memory of 804	2024	rundll32.exe	39
PID 2024 wrote to memory of 804	2024	rundll32.exe	39
PID 2024 wrote to memory of 804	2024	rundll32.exe	39
PID 2024 wrote to memory of 2640	2024	rundll32.exe	47
PID 2024 wrote to memory of 2640	2024	rundll32.exe	47
PID 2024 wrote to memory of 2640	2024	rundll32.exe	47
PID 2024 wrote to memory of 2640	2024	rundll32.exe	47

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc0e23745efa53665e2c13299bb3e4b4aba7f28b992fc5f432b7a57cb271ed66.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 75-01-45-34-c1-bc
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 3c-c6-fd-3d-87-d0
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\arp.exe
    arp -s 37.27.61.184 86-5a-ab-c3-a5-9c
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 22-1b-4e-da-64-08
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2220
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 86-89-f6-bd-44-f2
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 43-4b-95-65-a2-1d
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2232
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 cd-17-34-ef-14-3e
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 b4-1e-f5-ce-2e-3b
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:804
- - C:\Windows\SysWOW64\arp.exe
    arp -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-2-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-1-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-0-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-5-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-6-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-7-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-13-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-15-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2024-21-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download