Resubmissions
31-01-2024 21:42
240131-1ktpsadab6 1024-01-2024 07:47
240124-jml92sdcd6 1023-01-2024 11:54
240123-n25r6ahhfk 1024-06-2020 13:36
200624-enc457kzrj 10Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 13:36
Static task
static1
Behavioral task
behavioral1
Sample
A004BC8B4F3DB1EF5A66579B9746B5B1.bin.dll
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
A004BC8B4F3DB1EF5A66579B9746B5B1.bin.dll
-
Size
424KB
-
MD5
a004bc8b4f3db1ef5a66579b9746b5b1
-
SHA1
88a5fcebfd7a037a9ca9573772ac2334a61b25de
-
SHA256
42bb5eae534eb2cea979c300b797a65febf291b28aea0b9d8bbea7d0a41bffa2
-
SHA512
28aed111b2ecea90c2da03871f36272b8680d392c245fdf0e2f4d4454974a3a51d6744133cecfc2576bbc778742f9b824e8355026b53d029d13ff79bb2136f9b
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2460 wrote to memory of 3828 2460 rundll32.exe 67 PID 2460 wrote to memory of 3828 2460 rundll32.exe 67 PID 2460 wrote to memory of 3828 2460 rundll32.exe 67 PID 3828 wrote to memory of 3720 3828 rundll32.exe 74 PID 3828 wrote to memory of 3720 3828 rundll32.exe 74 PID 3828 wrote to memory of 3720 3828 rundll32.exe 74 PID 3828 wrote to memory of 3720 3828 rundll32.exe 74 PID 3828 wrote to memory of 3720 3828 rundll32.exe 74 PID 3720 wrote to memory of 352 3720 msiexec.exe 75 PID 3720 wrote to memory of 352 3720 msiexec.exe 75 PID 3720 wrote to memory of 352 3720 msiexec.exe 75 PID 352 wrote to memory of 1624 352 cmd.exe 77 PID 352 wrote to memory of 1624 352 cmd.exe 77 PID 352 wrote to memory of 1624 352 cmd.exe 77 PID 3720 wrote to memory of 2416 3720 msiexec.exe 78 PID 3720 wrote to memory of 2416 3720 msiexec.exe 78 PID 3720 wrote to memory of 2416 3720 msiexec.exe 78 PID 2416 wrote to memory of 3884 2416 cmd.exe 80 PID 2416 wrote to memory of 3884 2416 cmd.exe 80 PID 2416 wrote to memory of 3884 2416 cmd.exe 80 PID 3884 wrote to memory of 1432 3884 net.exe 81 PID 3884 wrote to memory of 1432 3884 net.exe 81 PID 3884 wrote to memory of 1432 3884 net.exe 81 PID 3720 wrote to memory of 1924 3720 msiexec.exe 82 PID 3720 wrote to memory of 1924 3720 msiexec.exe 82 PID 3720 wrote to memory of 1924 3720 msiexec.exe 82 PID 1924 wrote to memory of 1320 1924 cmd.exe 84 PID 1924 wrote to memory of 1320 1924 cmd.exe 84 PID 1924 wrote to memory of 1320 1924 cmd.exe 84 PID 3720 wrote to memory of 2644 3720 msiexec.exe 85 PID 3720 wrote to memory of 2644 3720 msiexec.exe 85 PID 3720 wrote to memory of 2644 3720 msiexec.exe 85 PID 2644 wrote to memory of 3864 2644 cmd.exe 87 PID 2644 wrote to memory of 3864 2644 cmd.exe 87 PID 2644 wrote to memory of 3864 2644 cmd.exe 87 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3828 set thread context of 3720 3828 rundll32.exe 74 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 3720 msiexec.exe Token: SeSecurityPrivilege 3720 msiexec.exe -
Blacklisted process makes network request 18 IoCs
flow pid Process 14 3720 msiexec.exe 15 3720 msiexec.exe 16 3720 msiexec.exe 17 3720 msiexec.exe 18 3720 msiexec.exe 19 3720 msiexec.exe 20 3720 msiexec.exe 21 3720 msiexec.exe 22 3720 msiexec.exe 23 3720 msiexec.exe 24 3720 msiexec.exe 25 3720 msiexec.exe 26 3720 msiexec.exe 27 3720 msiexec.exe 28 3720 msiexec.exe 29 3720 msiexec.exe 30 3720 msiexec.exe 31 3720 msiexec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3720 msiexec.exe 3720 msiexec.exe 3720 msiexec.exe 3720 msiexec.exe 3720 msiexec.exe 3720 msiexec.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 1320 net.exe 3864 net.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\A004BC8B4F3DB1EF5A66579B9746B5B1.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3828 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3720 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all4⤵
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation4⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\net.exenet config workstation5⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation6⤵PID:1432
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all4⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\net.exenet view /all5⤵
- Discovers systems in the same network
PID:1320
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain4⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\net.exenet view /all /domain5⤵
- Discovers systems in the same network
PID:3864
-
-
-
-