Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 03:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Kryptik.HENB.18157.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Win32.Kryptik.HENB.18157.dll
-
Size
579KB
-
MD5
a37a8840e9e8d07c73861a1353013ba2
-
SHA1
403c6a9e7159480ba75f4250f2d946226de92d4b
-
SHA256
e7f1b2d2601e9a6427a155a3599614c09c9edaae7eb8f10b81e1f3e117717157
-
SHA512
88e7eb3f6648c7baab747bae3afae839a9b13e12ff8ec861e4df262dbd2ab469de7274c02a716ba0e7fe6ecde4b9fe365f53cd4e9433a389080be92840e0c15c
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4064 rundll32.exe 4064 rundll32.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4064 created 3004 4064 rundll32.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4064 set thread context of 2484 4064 rundll32.exe msiexec.exe -
Blacklisted process makes network request 16 IoCs
Processes:
msiexec.exeflow pid process 8 2484 msiexec.exe 9 2484 msiexec.exe 10 2484 msiexec.exe 11 2484 msiexec.exe 12 2484 msiexec.exe 13 2484 msiexec.exe 15 2484 msiexec.exe 17 2484 msiexec.exe 19 2484 msiexec.exe 21 2484 msiexec.exe 22 2484 msiexec.exe 23 2484 msiexec.exe 24 2484 msiexec.exe 25 2484 msiexec.exe 26 2484 msiexec.exe 28 2484 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3692 wrote to memory of 4064 3692 rundll32.exe rundll32.exe PID 3692 wrote to memory of 4064 3692 rundll32.exe rundll32.exe PID 3692 wrote to memory of 4064 3692 rundll32.exe rundll32.exe PID 4064 wrote to memory of 2484 4064 rundll32.exe msiexec.exe PID 4064 wrote to memory of 2484 4064 rundll32.exe msiexec.exe PID 4064 wrote to memory of 2484 4064 rundll32.exe msiexec.exe PID 4064 wrote to memory of 2484 4064 rundll32.exe msiexec.exe PID 4064 wrote to memory of 2484 4064 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4064 rundll32.exe Token: SeSecurityPrivilege 2484 msiexec.exe Token: SeSecurityPrivilege 2484 msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HENB.18157.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HENB.18157.dll,#13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken