Analysis
-
max time kernel
134s -
max time network
125s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 02:45
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Kryptik.HENB.25036.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Win32.Kryptik.HENB.25036.dll
-
Size
579KB
-
MD5
08dac5157102790bb1c6d3a65660db37
-
SHA1
e48fc7a827613aa62fde4c38d239704bfb6d8b95
-
SHA256
455c21fbac342659cd4b5cc162772117cce60f6b59f04dba0dd4327868a428eb
-
SHA512
a006c26cdd8da705cbadc9f9837efe4c4feed5ba8dbf5348520a3e66c2c56ab5842c74bdae7ad1cc255a4be0f763325301784190d26bcd7691e43f9f7b2e19de
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4036 created 3008 4036 rundll32.exe Explorer.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4036 set thread context of 2740 4036 rundll32.exe msiexec.exe -
Blacklisted process makes network request 16 IoCs
Processes:
msiexec.exeflow pid process 8 2740 msiexec.exe 9 2740 msiexec.exe 10 2740 msiexec.exe 11 2740 msiexec.exe 12 2740 msiexec.exe 13 2740 msiexec.exe 15 2740 msiexec.exe 17 2740 msiexec.exe 19 2740 msiexec.exe 21 2740 msiexec.exe 22 2740 msiexec.exe 23 2740 msiexec.exe 24 2740 msiexec.exe 25 2740 msiexec.exe 26 2740 msiexec.exe 28 2740 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 896 wrote to memory of 4036 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 4036 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 4036 896 rundll32.exe rundll32.exe PID 4036 wrote to memory of 2740 4036 rundll32.exe msiexec.exe PID 4036 wrote to memory of 2740 4036 rundll32.exe msiexec.exe PID 4036 wrote to memory of 2740 4036 rundll32.exe msiexec.exe PID 4036 wrote to memory of 2740 4036 rundll32.exe msiexec.exe PID 4036 wrote to memory of 2740 4036 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4036 rundll32.exe Token: SeSecurityPrivilege 2740 msiexec.exe Token: SeSecurityPrivilege 2740 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4036 rundll32.exe 4036 rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HENB.25036.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HENB.25036.dll,#13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken