Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 19:24
Static task
static1
Behavioral task
behavioral1
Sample
wndll.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
wndll.exe
-
Size
310KB
-
MD5
4e0966f48e6fe2451eae96f7696dcab9
-
SHA1
f37c0ca9db58a784cf77712bcfaa6cf18233b495
-
SHA256
5b27db23756f4ddbd30a3875e30cdbff6cdcc1650a46e3c5a032da6f85cfdceb
-
SHA512
19eb88285c79a199ae9ff0ccc2696973185b66f1b7bf06a6b9c4aebb269eb0da71e37a39017403e4b66adbd4071911febe08dd44e3f8c0f4adb10dfe661e9b9f
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
wndll.exesvhost.exepid process 3724 wndll.exe 3724 wndll.exe 3580 svhost.exe 3580 svhost.exe 3580 svhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
wndll.exedescription pid process target process PID 3724 wrote to memory of 3580 3724 wndll.exe svhost.exe PID 3724 wrote to memory of 3580 3724 wndll.exe svhost.exe PID 3724 wrote to memory of 3580 3724 wndll.exe svhost.exe PID 3724 wrote to memory of 3580 3724 wndll.exe svhost.exe PID 3724 wrote to memory of 3580 3724 wndll.exe svhost.exe PID 3724 wrote to memory of 3580 3724 wndll.exe svhost.exe PID 3724 wrote to memory of 3580 3724 wndll.exe svhost.exe PID 3724 wrote to memory of 3580 3724 wndll.exe svhost.exe PID 3724 wrote to memory of 724 3724 wndll.exe cmd.exe PID 3724 wrote to memory of 724 3724 wndll.exe cmd.exe PID 3724 wrote to memory of 724 3724 wndll.exe cmd.exe PID 3724 wrote to memory of 1052 3724 wndll.exe cmd.exe PID 3724 wrote to memory of 1052 3724 wndll.exe cmd.exe PID 3724 wrote to memory of 1052 3724 wndll.exe cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wndll.exedescription pid process target process PID 3724 set thread context of 3580 3724 wndll.exe svhost.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3580 svhost.exe -
Drops startup file 1 IoCs
Processes:
wndll.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk wndll.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wndll.exesvhost.exedescription pid process Token: SeDebugPrivilege 3724 wndll.exe Token: SeDebugPrivilege 3580 svhost.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 3580 svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wndll.exe"C:\Users\Admin\AppData\Local\Temp\wndll.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/wndll.exe" "%temp%\FolderN\name.exe" /Y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe
-
memory/724-4-0x0000000000000000-mapping.dmp
-
memory/1052-6-0x0000000000000000-mapping.dmp
-
memory/3580-1-0x000000000041E792-mapping.dmp