ab2fe37cd76f9a888c1500a1138b601e1e548fb03c15845d7078f9b7c2ff9156

Analysis

max time kernel
111s
max time network
76s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab2fe37cd76f9a888c1500a1138b601e1e548fb03c15845d7078f9b7c2ff9156.dll
Size

80KB
MD5

1cf238bbd395edf2ee4f8ee43eba2c62
SHA1

ba661c739f8b0b6586adb39c5d526f9bd0dc4078
SHA256

ab2fe37cd76f9a888c1500a1138b601e1e548fb03c15845d7078f9b7c2ff9156
SHA512

2b730e767b714d6cf0ceaff7861945d322fc8073861e833554cf4fdda448763d526a608a61c1cbb29874f02ddc33661ecd3cc4e13e0e790995b73f4a785322e0
SSDEEP

1536:5POOhfbOjovgdVydUgoNrwBZXGDaZ1QIxrfItMgR7ZaO+fGxHZPEdXCQSUsG:5dbwovEVyqgoZmZXWfIdQdRaefPkXCQx

Score

8^/10

discovery upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2124	rundll32.exe
8	2124	rundll32.exe
9	2124	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	rundll32.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2956	arp.exe
2844	arp.exe
2952	arp.exe
2480	arp.exe
1172	arp.exe
2848	arp.exe
2868	arp.exe
2972	arp.exe
2976	arp.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-0-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2124-1-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2124-4-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2124-5-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2124-12-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2124-13-0x0000000010000000-0x0000000010033000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	rundll32.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2124	2820	rundll32.exe	30
PID 2820 wrote to memory of 2124	2820	rundll32.exe	30
PID 2820 wrote to memory of 2124	2820	rundll32.exe	30
PID 2820 wrote to memory of 2124	2820	rundll32.exe	30
PID 2820 wrote to memory of 2124	2820	rundll32.exe	30
PID 2820 wrote to memory of 2124	2820	rundll32.exe	30
PID 2820 wrote to memory of 2124	2820	rundll32.exe	30
PID 2124 wrote to memory of 2480	2124	rundll32.exe	31
PID 2124 wrote to memory of 2480	2124	rundll32.exe	31
PID 2124 wrote to memory of 2480	2124	rundll32.exe	31
PID 2124 wrote to memory of 2480	2124	rundll32.exe	31
PID 2124 wrote to memory of 1172	2124	rundll32.exe	33
PID 2124 wrote to memory of 1172	2124	rundll32.exe	33
PID 2124 wrote to memory of 1172	2124	rundll32.exe	33
PID 2124 wrote to memory of 1172	2124	rundll32.exe	33
PID 2124 wrote to memory of 2848	2124	rundll32.exe	34
PID 2124 wrote to memory of 2848	2124	rundll32.exe	34
PID 2124 wrote to memory of 2848	2124	rundll32.exe	34
PID 2124 wrote to memory of 2848	2124	rundll32.exe	34
PID 2124 wrote to memory of 2868	2124	rundll32.exe	36
PID 2124 wrote to memory of 2868	2124	rundll32.exe	36
PID 2124 wrote to memory of 2868	2124	rundll32.exe	36
PID 2124 wrote to memory of 2868	2124	rundll32.exe	36
PID 2124 wrote to memory of 2956	2124	rundll32.exe	37
PID 2124 wrote to memory of 2956	2124	rundll32.exe	37
PID 2124 wrote to memory of 2956	2124	rundll32.exe	37
PID 2124 wrote to memory of 2956	2124	rundll32.exe	37
PID 2124 wrote to memory of 2972	2124	rundll32.exe	38
PID 2124 wrote to memory of 2972	2124	rundll32.exe	38
PID 2124 wrote to memory of 2972	2124	rundll32.exe	38
PID 2124 wrote to memory of 2972	2124	rundll32.exe	38
PID 2124 wrote to memory of 2976	2124	rundll32.exe	39
PID 2124 wrote to memory of 2976	2124	rundll32.exe	39
PID 2124 wrote to memory of 2976	2124	rundll32.exe	39
PID 2124 wrote to memory of 2976	2124	rundll32.exe	39
PID 2124 wrote to memory of 2844	2124	rundll32.exe	43
PID 2124 wrote to memory of 2844	2124	rundll32.exe	43
PID 2124 wrote to memory of 2844	2124	rundll32.exe	43
PID 2124 wrote to memory of 2844	2124	rundll32.exe	43
PID 2124 wrote to memory of 2952	2124	rundll32.exe	44
PID 2124 wrote to memory of 2952	2124	rundll32.exe	44
PID 2124 wrote to memory of 2952	2124	rundll32.exe	44
PID 2124 wrote to memory of 2952	2124	rundll32.exe	44
PID 2124 wrote to memory of 2580	2124	rundll32.exe	49
PID 2124 wrote to memory of 2580	2124	rundll32.exe	49
PID 2124 wrote to memory of 2580	2124	rundll32.exe	49
PID 2124 wrote to memory of 2580	2124	rundll32.exe	49

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab2fe37cd76f9a888c1500a1138b601e1e548fb03c15845d7078f9b7c2ff9156.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab2fe37cd76f9a888c1500a1138b601e1e548fb03c15845d7078f9b7c2ff9156.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2480
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 24-86-49-a8-d5-52
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1172
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 a2-cb-fb-98-48-3c
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\arp.exe
    arp -s 154.61.71.51 c0-46-22-6d-6c-b4
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 e2-38-6b-01-7d-94
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2956
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 e2-03-d2-31-40-26
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 9f-21-7b-ba-32-e4
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 d4-b4-01-4c-b0-43
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 02-60-5b-c0-63-bb
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\arp.exe
    arp -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-0-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2124-1-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2124-4-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2124-5-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2124-12-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2124-13-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download