ceb1e4255131b221e6befb1a89799f227e8a56482c8cc35e4e189904dfbdb9f7

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 05:09

Target

ceb1e4255131b221e6befb1a89799f227e8a56482c8cc35e4e189904dfbdb9f7.dll
Size

137KB
MD5

847d97f8468b8a3c97b96e1878bf7b80
SHA1

b8c7ad9f5619b0e1419557309c63d31d34e42fed
SHA256

ceb1e4255131b221e6befb1a89799f227e8a56482c8cc35e4e189904dfbdb9f7
SHA512

a5e271d1cc8e3ae871ee210f4c07cc8d2ad6a8caf18a1db092f1de2e6fffe82a3773c8292c26da399535e9ff99571e7b6b9d56ed00727ec175b91262656673ac
SSDEEP

3072:WR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUu:T25GgFny61mra

Score

8^/10

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

Port Monitors

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\SCSI Port Monitor\Driver = "scsimon.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Spooler\ImagePath = "Spoolsv.exe"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\comb.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe
File created	C:\Windows\AppPatch\ComBack.Dll	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	1684	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1684	1336	rundll32.exe	30
PID 1336 wrote to memory of 1684	1336	rundll32.exe	30
PID 1336 wrote to memory of 1684	1336	rundll32.exe	30
PID 1336 wrote to memory of 1684	1336	rundll32.exe	30
PID 1336 wrote to memory of 1684	1336	rundll32.exe	30
PID 1336 wrote to memory of 1684	1336	rundll32.exe	30
PID 1336 wrote to memory of 1684	1336	rundll32.exe	30
PID 1684 wrote to memory of 2148	1684	rundll32.exe	31
PID 1684 wrote to memory of 2148	1684	rundll32.exe	31
PID 1684 wrote to memory of 2148	1684	rundll32.exe	31
PID 1684 wrote to memory of 2148	1684	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ceb1e4255131b221e6befb1a89799f227e8a56482c8cc35e4e189904dfbdb9f7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ceb1e4255131b221e6befb1a89799f227e8a56482c8cc35e4e189904dfbdb9f7.dll,#1
  2⤵
  - Boot or Logon Autostart Execution: Port Monitors
  - Sets service image path in registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 228
    3⤵
    - Program crash
    PID:2148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1936