a82682928a8be327837375976c22a0af431ccaf4c9b6b3e1397642682f643c70

Resubmissions

04/03/2025, 05:00

04/03/2025, 04:54

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 04:54

Target

a82682928a8be327837375976c22a0af431ccaf4c9b6b3e1397642682f643c70.dll
Size

137KB
MD5

6bccae8ccfc028f384394142705bcfbc
SHA1

65a88ab2784797afe21137528f0cbc889047141a
SHA256

a82682928a8be327837375976c22a0af431ccaf4c9b6b3e1397642682f643c70
SHA512

ad4a705999ab615ba41f085deb8b0934c5df00f4cd6c5ccb96c5ef6572a00adb9d7092107e4714140c22d390a2ed32eef7f76c7306b59a650d376f7f53f1183a
SSDEEP

3072:aR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuX:P25GgFny61mraV

Score

8^/10

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

Port Monitors

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe
File created	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	2976	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2976	2100	rundll32.exe	30
PID 2100 wrote to memory of 2976	2100	rundll32.exe	30
PID 2100 wrote to memory of 2976	2100	rundll32.exe	30
PID 2100 wrote to memory of 2976	2100	rundll32.exe	30
PID 2100 wrote to memory of 2976	2100	rundll32.exe	30
PID 2100 wrote to memory of 2976	2100	rundll32.exe	30
PID 2100 wrote to memory of 2976	2100	rundll32.exe	30
PID 2976 wrote to memory of 2524	2976	rundll32.exe	31
PID 2976 wrote to memory of 2524	2976	rundll32.exe	31
PID 2976 wrote to memory of 2524	2976	rundll32.exe	31
PID 2976 wrote to memory of 2524	2976	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a82682928a8be327837375976c22a0af431ccaf4c9b6b3e1397642682f643c70.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a82682928a8be327837375976c22a0af431ccaf4c9b6b3e1397642682f643c70.dll,#1
  2⤵
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 228
    3⤵
    - Program crash
    PID:2524