d5dc338bfde9301b5ec4485a79a352518fb4d3b999b7ec4d1ccc2d928cc8d814

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 12:08

Target

d5dc338bfde9301b5ec4485a79a352518fb4d3b999b7ec4d1ccc2d928cc8d814.dll
Size

137KB
MD5

435793af70394b8b058af627ff789662
SHA1

0c90b30618e4d8719498ec51d894c71a95e69d71
SHA256

d5dc338bfde9301b5ec4485a79a352518fb4d3b999b7ec4d1ccc2d928cc8d814
SHA512

9e98eb47221b8ffb3aa143bba1b2f17272a3c3813c864ffee1d5c66913fd9980e4a7b930e999b28a5800efced5e20cf70bb584971858c9dc8ce823c910126667
SSDEEP

3072:GR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUu1:j25GgFny61mraD

Score

8^/10

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

Port Monitors

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe
File created	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2204	2580	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2580	2104	rundll32.exe	30
PID 2104 wrote to memory of 2580	2104	rundll32.exe	30
PID 2104 wrote to memory of 2580	2104	rundll32.exe	30
PID 2104 wrote to memory of 2580	2104	rundll32.exe	30
PID 2104 wrote to memory of 2580	2104	rundll32.exe	30
PID 2104 wrote to memory of 2580	2104	rundll32.exe	30
PID 2104 wrote to memory of 2580	2104	rundll32.exe	30
PID 2580 wrote to memory of 2204	2580	rundll32.exe	31
PID 2580 wrote to memory of 2204	2580	rundll32.exe	31
PID 2580 wrote to memory of 2204	2580	rundll32.exe	31
PID 2580 wrote to memory of 2204	2580	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5dc338bfde9301b5ec4485a79a352518fb4d3b999b7ec4d1ccc2d928cc8d814.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d5dc338bfde9301b5ec4485a79a352518fb4d3b999b7ec4d1ccc2d928cc8d814.dll,#1
  2⤵
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 232
    3⤵
    - Program crash
    PID:2204