Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 14:54
Static task
static1
Behavioral task
behavioral1
Sample
rVuj5bF.bin.dll
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
rVuj5bF.bin.dll
-
Size
403KB
-
MD5
4e9d3907d80cfe903df735b855d5eaeb
-
SHA1
3fcc74d0b646e8324f0a4cf4708890a8261f3e84
-
SHA256
280fedf6fd7e0964222ac9b21bcc289c222c7ea91d7bad6350741bdf8c1f0938
-
SHA512
672b8b0dd776ff156504e55c171fe035e5aac7b1b48ae785973113648717317eb611acbcc6141c5ab6c0096c4f41c24c335d957afbca1fddcf15dfde9750361f
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1416 wrote to memory of 1468 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1468 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1468 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1468 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1468 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1468 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1468 1416 rundll32.exe rundll32.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe PID 1468 wrote to memory of 1848 1468 rundll32.exe msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1468 set thread context of 1848 1468 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1848 msiexec.exe Token: SeSecurityPrivilege 1848 msiexec.exe -
Blacklisted process makes network request 37 IoCs
Processes:
msiexec.exeflow pid process 6 1848 msiexec.exe 8 1848 msiexec.exe 10 1848 msiexec.exe 12 1848 msiexec.exe 14 1848 msiexec.exe 16 1848 msiexec.exe 17 1848 msiexec.exe 18 1848 msiexec.exe 19 1848 msiexec.exe 20 1848 msiexec.exe 21 1848 msiexec.exe 22 1848 msiexec.exe 23 1848 msiexec.exe 24 1848 msiexec.exe 25 1848 msiexec.exe 26 1848 msiexec.exe 27 1848 msiexec.exe 28 1848 msiexec.exe 29 1848 msiexec.exe 30 1848 msiexec.exe 31 1848 msiexec.exe 32 1848 msiexec.exe 33 1848 msiexec.exe 34 1848 msiexec.exe 35 1848 msiexec.exe 36 1848 msiexec.exe 37 1848 msiexec.exe 38 1848 msiexec.exe 39 1848 msiexec.exe 41 1848 msiexec.exe 42 1848 msiexec.exe 43 1848 msiexec.exe 44 1848 msiexec.exe 45 1848 msiexec.exe 46 1848 msiexec.exe 47 1848 msiexec.exe 48 1848 msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rVuj5bF.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rVuj5bF.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1468 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
PID:1848
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1468-0-0x0000000000000000-mapping.dmp
-
memory/1848-1-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1848-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1848-3-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1848-4-0x0000000000000000-mapping.dmp