Analysis
-
max time kernel
134s -
max time network
125s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 02:45
General
-
Target
SecuriteInfo.com.Win32.Kryptik.HENB.25036.dll
-
Size
579KB
-
MD5
08dac5157102790bb1c6d3a65660db37
-
SHA1
e48fc7a827613aa62fde4c38d239704bfb6d8b95
-
SHA256
455c21fbac342659cd4b5cc162772117cce60f6b59f04dba0dd4327868a428eb
-
SHA512
a006c26cdd8da705cbadc9f9837efe4c4feed5ba8dbf5348520a3e66c2c56ab5842c74bdae7ad1cc255a4be0f763325301784190d26bcd7691e43f9f7b2e19de
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Blacklisted process makes network request 16 IoCs
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HENB.25036.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HENB.25036.dll,#13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2740-1-0x00000000005B0000-0x00000000005DC000-memory.dmpFilesize
176KB
-
memory/2740-2-0x0000000000000000-mapping.dmp
-
memory/4036-0-0x0000000000000000-mapping.dmp