Overview

overview

10

Static

static

10

817e81c92b...bN.dll

windows7-x64

8

817e81c92b...bN.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2025 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    817e81c92be33961734de8200c6aecc57b9ee2e0049e1a8751a0ad42c986b91bN.dll

  • Size

    76KB

  • MD5

    1cf880c5846dc3131ee2a9dbb2b59600

  • SHA1

    85cf56cf42dafc694b6e1b7750e5d5b55c10a6f2

  • SHA256

    817e81c92be33961734de8200c6aecc57b9ee2e0049e1a8751a0ad42c986b91b

  • SHA512

    97d91f105ef938a3f66d181ccf68119cce93fe85fdb3a165764ba855802e051074bc68b952ffa3f95ec0ec0dc71f63bbde92252f797606250c86cf5796ae11ac

  • SSDEEP

    1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZBiRYlz6:c8y93KQjy7G55riF1cMo03nCj

Score
8/10
discoverypersistenceprivilege_escalationupx

Malware Config

Signatures

  • Downloads MZ/PE file 2 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Drops file in System32 directory 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\817e81c92be33961734de8200c6aecc57b9ee2e0049e1a8751a0ad42c986b91bN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\817e81c92be33961734de8200c6aecc57b9ee2e0049e1a8751a0ad42c986b91bN.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEEwN0RFRjUtNEJDNi00MzhBLUE1QzUtMjg0NkUwODc4QzE3fSIgdXNlcmlkPSJ7RjdDN0MyOTUtMzdEMy00NkRFLUFGQTAtM0YzNjBBMjI4M0U3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzQ4RkM2NDQtRDkwQi00QjhELTkxNDMtMjdBM0Y0MDVBMzVCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NzU1NzkwMzM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:4944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2276-0-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2276-2-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4944-3-0x00000000762E5000-0x00000000762E6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4944-5-0x00000000762D0000-0x0000000076333000-memory.dmp

    Filesize

    396KB

    Download

  • memory/4944-6-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4944-8-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4944-9-0x00000000762D0000-0x0000000076333000-memory.dmp

    Filesize

    396KB

    Download