97d565555769295f3bd4e2451be64899748416bd3bde7aaca1e16dd5f67cb5ef

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 02:18

Target

97d565555769295f3bd4e2451be64899748416bd3bde7aaca1e16dd5f67cb5ef.dll
Size

137KB
MD5

e634c1841d991e354d6f50dd51a717b9
SHA1

ecf8edff72044afb15084f52353ae0b44d002989
SHA256

97d565555769295f3bd4e2451be64899748416bd3bde7aaca1e16dd5f67cb5ef
SHA512

fb7395134e1610045791af4ec760ad09bc8e2249724f90794bcd84f6d7e7f62557adb5889a477ed5f618485d479af4637a9fae513691cafb1f826c602d7d1b76
SSDEEP

3072:XR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuN:q25GgFny61mraT

Score

8^/10

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

Port Monitors

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe
File created	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2120	2968	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2968	1544	rundll32.exe	29
PID 1544 wrote to memory of 2968	1544	rundll32.exe	29
PID 1544 wrote to memory of 2968	1544	rundll32.exe	29
PID 1544 wrote to memory of 2968	1544	rundll32.exe	29
PID 1544 wrote to memory of 2968	1544	rundll32.exe	29
PID 1544 wrote to memory of 2968	1544	rundll32.exe	29
PID 1544 wrote to memory of 2968	1544	rundll32.exe	29
PID 2968 wrote to memory of 2120	2968	rundll32.exe	30
PID 2968 wrote to memory of 2120	2968	rundll32.exe	30
PID 2968 wrote to memory of 2120	2968	rundll32.exe	30
PID 2968 wrote to memory of 2120	2968	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97d565555769295f3bd4e2451be64899748416bd3bde7aaca1e16dd5f67cb5ef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\97d565555769295f3bd4e2451be64899748416bd3bde7aaca1e16dd5f67cb5ef.dll,#1
  2⤵
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 228
    3⤵
    - Program crash
    PID:2120