Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll"

Details

Is windows:	true
Is dropped:	false
PID:	6988
Target ID:	0
Parent PID:	2580
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll"
Size:	126464
MD5:	51E6071F9CBA48E79F10C84515AAE618
Time:	03:51:18
Date:	08/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x970000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute DLL with spoofed extension	Data Obfuscation
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	5480
Target ID:	2
Parent PID:	6988
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll",#1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	03:51:18
Date:	08/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute DLL with spoofed extension	Data Obfuscation
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	6188
Target ID:	3
Parent PID:	5480
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll",#1
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	03:51:18
Date:	08/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x6f0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute DLL with spoofed extension	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7032
Target ID:	1
Parent PID:	6988
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:51:18
Date:	08/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

30B3000

heap

page read and write

113E000

stack

page read and write

11B0000

heap

page read and write

2E7E000

stack

page read and write

2E3E000

stack

page read and write

153F000

stack

page read and write

2E9A000

heap

page read and write

65F0000

trusted library allocation

page read and write

DD0000

heap

page read and write

1270000

heap

page read and write

2B90000

heap

page read and write

30BC000

heap

page read and write

10FD000

stack

page read and write

2B2C000

stack

page read and write

30AB000

heap

page read and write

30C2000

heap

page read and write

2EC0000

heap

page read and write

127F000

heap

page read and write

309A000

heap

page read and write

2AEA000

stack

page read and write

625F000

stack

page read and write

301E000

stack

page read and write

30D4000

heap

page read and write

3030000

heap

page read and write

30B7000

heap

page read and write

2FDD000

stack

page read and write

2E96000

heap

page read and write

163F000

stack

page read and write

30D4000

heap

page read and write

2E90000

heap

page read and write

30BF000

heap

page read and write

30B3000

heap

page read and write

30AF000

heap

page read and write

1760000

heap

page read and write

2BA0000

heap

page read and write

D6D000

stack

page read and write

DE0000

heap

page read and write

127B000

heap

page read and write

30B7000

heap

page read and write

307E000

stack

page read and write

6190000

heap

page read and write

6194000

heap

page read and write

3080000

heap

page read and write

3090000

heap

page read and write

117E000

stack

page read and write

30D4000

heap

page read and write

There are 36 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll

Processes

Memdumps

IOC Report
17283737684bd86655892d68ec8069bdd2f47d78d953272c24d1231ed47fa5f444cf553321351.dat-decoded.dll