6cd321b091ff51f5cab5498d7b6483cd3844a9dbccf834bad51dc0547446d566

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 16:18

Target

6cd321b091ff51f5cab5498d7b6483cd3844a9dbccf834bad51dc0547446d566N.dll
Size

137KB
MD5

be79e45f180f603de68244cc21a428f0
SHA1

ff6542fde0709826edd9d127adc4cf9e8ccad77b
SHA256

6cd321b091ff51f5cab5498d7b6483cd3844a9dbccf834bad51dc0547446d566
SHA512

f23b4b0c28e7eabbe5a06289bbe3ed8d98d58d767a9e78ae32a794df61f027066367c1b277f601b402bf8b6d576aaa9ea4d3f92a138be62cc1b1654c2a7e544a
SSDEEP

3072:iR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUug:n25GgFny61mraC

Score

8^/10

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

Port Monitors

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	2300	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 2300	796	rundll32.exe	29
PID 796 wrote to memory of 2300	796	rundll32.exe	29
PID 796 wrote to memory of 2300	796	rundll32.exe	29
PID 796 wrote to memory of 2300	796	rundll32.exe	29
PID 796 wrote to memory of 2300	796	rundll32.exe	29
PID 796 wrote to memory of 2300	796	rundll32.exe	29
PID 796 wrote to memory of 2300	796	rundll32.exe	29
PID 2300 wrote to memory of 2148	2300	rundll32.exe	30
PID 2300 wrote to memory of 2148	2300	rundll32.exe	30
PID 2300 wrote to memory of 2148	2300	rundll32.exe	30
PID 2300 wrote to memory of 2148	2300	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cd321b091ff51f5cab5498d7b6483cd3844a9dbccf834bad51dc0547446d566N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cd321b091ff51f5cab5498d7b6483cd3844a9dbccf834bad51dc0547446d566N.dll,#1
  2⤵
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 232
    3⤵
    - Program crash
    PID:2148