Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll64.exe

loaddll64.exe "C:\Users\user\Desktop\z5zecWP4su.dll"

Details

Is windows:	true
Is dropped:	false
PID:	5888
Target ID:	0
Parent PID:	1028
Name:	loaddll64.exe
Path:	C:\Windows\System32\loaddll64.exe
Commandline:	loaddll64.exe "C:\Users\user\Desktop\z5zecWP4su.dll"
Size:	165888
MD5:	763455F9DCB24DFEECC2B9D9F8D46D52
Time:	15:06:45
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ea600000
Modulesize:	188416
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32.exe /s C:\Users\user\Desktop\z5zecWP4su.dll

Details

Is windows:	true
Is dropped:	false
PID:	3568
Target ID:	3
Parent PID:	5888
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\z5zecWP4su.dll
Size:	25088
MD5:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Time:	15:06:45
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7fe790000
Modulesize:	45056
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Registers a DLL	Data Obfuscation	Regsvr32
Sigma detected: Network Connection Initiated By Regsvr32.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	344
Target ID:	4
Parent PID:	5712
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	15:06:45
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff65c7e0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllMain

Details

Is windows:	true
Is dropped:	false
PID:	3560
Target ID:	5
Parent PID:	5888
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllMain
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	15:06:45
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff65c7e0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	4052
Target ID:	7
Parent PID:	5888
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllRegisterServer
Size:	71680
MD5:	EF3179D498793BF4234F708D3BE28633
Time:	15:06:48
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff65c7e0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3408
Target ID:	1
Parent PID:	5888
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:06:45
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	5712
Target ID:	2
Parent PID:	5888
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	15:06:45
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff64db40000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#

unknown

https://sectigo.com/CPS0

unknown

http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y

unknown

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0

unknown

http://ocsp.sectigo.com0

unknown

IPs

Domain

Country

Malicious

10.45.6.7

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dataohis

NULL

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF8A7E6F000

unkown

page read and write

23B1EB45000

heap

page read and write

26D637A000

stack

page read and write

E05EAFE000

stack

page read and write

7FF8A7D81000

unkown

page execute read

23B1D3E0000

heap

page read and write

7FF8A7D80000

unkown

page readonly

25E0000

heap

page read and write

7FF8A80B3000

unkown

page read and write

7FF8A8423000

unkown

page read and write

1FC0CD99000

heap

page read and write

7FF8A8083000

unkown

page execute read

23B1D150000

heap

page read and write

A50000

heap

page read and write

2132FB0D000

heap

page read and write

23B1EB40000

heap

page read and write

1FC0D110000

heap

page read and write

1FC0D030000

trusted library allocation

page read and write

AE5000

heap

page read and write

7FF8A8083000

unkown

page execute read

E05E9FE000

stack

page read and write

238E000

stack

page read and write

1FC0CF70000

heap

page read and write

23B1EA00000

heap

page read and write

23B1ECD0000

heap

page read and write

1FC0CD97000

heap

page read and write

23B1D0E0000

heap

page read and write

7FF8A7E73000

unkown

page read and write

25E5000

heap

page read and write

23B1CFE0000

heap

page read and write

AD0000

trusted library allocation

page read and write

2390000

trusted library allocation

page read and write

6D9B67E000

stack

page read and write

1FC0D030000

trusted library allocation

page read and write

967000

heap

page read and write

1FC0CFD0000

heap

page read and write

7FF8A7D80000

unkown

page readonly

189F6568000

heap

page read and write

26D63FF000

stack

page read and write

189F6505000

heap

page read and write

1FC0CF50000

heap

page read and write

2132FB00000

heap

page read and write

2390000

heap

page read and write

7FF8A7D80000

unkown

page readonly

A80000

heap

page read and write

213314A0000

heap

page read and write

7FF8A8077000

unkown

page read and write

7FF8A7E43000

unkown

page readonly

242E000

stack

page read and write

230F000

stack

page read and write

213315A0000

heap

page read and write

189F6500000

heap

page read and write

7FF8A8077000

unkown

page read and write

950000

heap

page read and write

FA1167F000

stack

page read and write

7FF8A8423000

unkown

page read and write

7FF8A8A8F000

unkown

page readonly

FA113FE000

stack

page read and write

980000

heap

page read and write

23B1EA40000

trusted library allocation

page read and write

213315A5000

heap

page read and write

189F6400000

heap

page read and write

23B1EA00000

trusted library allocation

page read and write

1FC0D000000

trusted library allocation

page read and write

6D9B47C000

stack

page read and write

7FF8A8A8F000

unkown

page readonly

23B1EA40000

trusted library allocation

page read and write

26D62FE000

stack

page read and write

7FF8A8424000

unkown

page execute read

23B1D3E5000

heap

page read and write

5F0000

heap

page read and write

189F7FB5000

heap

page read and write

189F64E0000

heap

page read and write

189F7E10000

trusted library allocation

page read and write

1FC0CFF0000

heap

page read and write

FA1177E000

stack

page read and write

23B1D140000

trusted library allocation

page read and write

23B1D0C0000

heap

page read and write

189F7E60000

heap

page read and write

213314C0000

trusted library allocation

page read and write

1FC0CFF5000

heap

page read and write

6D9B57F000

stack

page read and write

7FF8A8083000

unkown

page execute read

1FC0CD78000

heap

page read and write

2132FCD0000

heap

page read and write

26D627C000

stack

page read and write

238B000

stack

page read and write

7FF8A7E43000

unkown

page readonly

7FF8A8077000

unkown

page read and write

FA116FD000

stack

page read and write

7FF8A80B9000

unkown

page execute read

189F656F000

heap

page read and write

24A0000

heap

page read and write

189F7E10000

heap

page read and write

21331575000

heap

page read and write

7FF8A8079000

unkown

page readonly

21331570000

heap

page read and write

7FF8A8A8F000

unkown

page readonly

2132FAE0000

heap

page read and write

E05E8FB000

stack

page read and write

7FF8A80B9000

unkown

page execute read

6D9B4FF000

stack

page read and write

7FF8A7D81000

unkown

page execute read

7FF8A7E6F000

unkown

page read and write

7FF8A8424000

unkown

page execute read

26D637E000

stack

page read and write

1FC0CFD0000

trusted library allocation

page read and write

7FF8A7D81000

unkown

page execute read

AE0000

heap

page read and write

189F6510000

heap

page read and write

959000

heap

page read and write

87B000

stack

page read and write

189F7E10000

trusted library allocation

page read and write

7FF8A7E73000

unkown

page read and write

FA1137C000

stack

page read and write

213314C0000

heap

page read and write

E05EAFB000

stack

page read and write

7FF8A80B9000

unkown

page execute read

7FF8A80B3000

unkown

page read and write

7FF8A7E6F000

unkown

page read and write

7FF8A7E43000

unkown

page readonly

2132FB09000

heap

page read and write

7FF8A8079000

unkown

page readonly

95B000

heap

page read and write

1FC0CE70000

heap

page read and write

E05EBFF000

stack

page read and write

1FC0E9C0000

heap

page read and write

7FF8A8079000

unkown

page readonly

6D9B6FE000

stack

page read and write

7FF8A8423000

unkown

page read and write

7FF8A8424000

unkown

page execute read

189F7FB0000

heap

page read and write

23B1D158000

heap

page read and write

189F6560000

heap

page read and write

FA117FF000

stack

page read and write

213314C0000

trusted library allocation

page read and write

7FF8A80B3000

unkown

page read and write

1FC0CD70000

heap

page read and write

2132FB18000

heap

page read and write

1FC0D115000

heap

page read and write

7FF8A7E73000

unkown

page read and write

There are 131 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
z5zecWP4su

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportz5zecWP4su

Processes

URLs

IPs

Registry

Memdumps

IOC Report
z5zecWP4su