Analysis
-
max time kernel
57s -
max time network
72s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 07:00
Static task
static1
Behavioral task
behavioral1
Sample
cvent.bin.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
cvent.bin.dll
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
cvent.bin.dll
-
Size
464KB
-
MD5
0474325cfc9bb94ada64c4ac026cf0f6
-
SHA1
bca3b42e3b6717c8ef2d0966e78f5dd12c35e5fb
-
SHA256
563463dca03d5d1d64d11465d2a511f995254663194032a891fd5491c4062cff
-
SHA512
031db5b4add2d5c69cd8ea7a04b8bdae8635a3d33776b91b4e1942bf24e0c0a6ac0f08ea4ba5caaf010a7b623166c95c9c9f8c90d946b58a95e08e39afa5a5f8
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1456 wrote to memory of 1484 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1484 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1484 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1484 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1484 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1484 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 1484 1456 rundll32.exe rundll32.exe -
Blacklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 4 1484 rundll32.exe 6 1484 rundll32.exe 8 1484 rundll32.exe -
Donot APT Downloader
A downloader used by Donot APT group to download further modules.
-
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cvent.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cvent.bin.dll,#12⤵
- Blacklisted process makes network request
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1484-0-0x0000000000000000-mapping.dmp