donot_downloader | 563463dca03d5d1d64d11465d2a511f995254663194032a891fd5491c4062cff | Triage

Analysis

max time kernel
128s
max time network
124s
platform
windows10_x64
resource
win10v200430
submitted
07-07-2020 07:00

Sharing

Report Analysis Logs

General

Target

cvent.bin.dll
Size

464KB
MD5

0474325cfc9bb94ada64c4ac026cf0f6
SHA1

bca3b42e3b6717c8ef2d0966e78f5dd12c35e5fb
SHA256

563463dca03d5d1d64d11465d2a511f995254663194032a891fd5491c4062cff
SHA512

031db5b4add2d5c69cd8ea7a04b8bdae8635a3d33776b91b4e1942bf24e0c0a6ac0f08ea4ba5caaf010a7b623166c95c9c9f8c90d946b58a95e08e39afa5a5f8

Score

10^/10

rat donot_downloader

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1484 wrote to memory of 1548	1484	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1548	1484	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1548	1484	rundll32.exe	rundll32.exe

Blacklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

4 1548 rundll32.exe
6 1548 rundll32.exe
8 1548 rundll32.exe
10 1548 rundll32.exe
Donot APT Downloader
A downloader used by Donot APT group to download further modules.
rat donot_downloader

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cvent.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cvent.bin.dll,#1
2⤵
- Blacklisted process makes network request
PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1548-0-0x0000000000000000-mapping.dmp

Download