Analysis
-
max time kernel
41s -
max time network
55s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 17:05
Static task
static1
Behavioral task
behavioral1
Sample
1.dll
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
1.dll
-
Size
70KB
-
MD5
beb47225071bd8762c0cb0d6e609129d
-
SHA1
48ca7e1d89edfb21cd2367eb9a38106c00adf7d2
-
SHA256
52a24d465b42683adfa19511061a7b6a3aa3ec87c375c8a710ec3983ddbe0431
-
SHA512
d694ef53ffee166523a749bccfc1c60b790fefe9904cfa616285932fe39e3f8d9cd9d706a85d6c2ef3922a3bf2c06e4312aab62ac50927ddc24da4750682cd53
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeImpersonatePrivilege 1448 rundll32.exe Token: SeTcbPrivilege 1448 rundll32.exe Token: SeChangeNotifyPrivilege 1448 rundll32.exe Token: SeCreateTokenPrivilege 1448 rundll32.exe Token: SeBackupPrivilege 1448 rundll32.exe Token: SeRestorePrivilege 1448 rundll32.exe Token: SeIncreaseQuotaPrivilege 1448 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 1448 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1448 rundll32.exe -
Checks for installed software on the system 1 TTPs 10 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName rundll32.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1412 wrote to memory of 1448 1412 rundll32.exe rundll32.exe PID 1412 wrote to memory of 1448 1412 rundll32.exe rundll32.exe PID 1412 wrote to memory of 1448 1412 rundll32.exe rundll32.exe PID 1412 wrote to memory of 1448 1412 rundll32.exe rundll32.exe PID 1412 wrote to memory of 1448 1412 rundll32.exe rundll32.exe PID 1412 wrote to memory of 1448 1412 rundll32.exe rundll32.exe PID 1412 wrote to memory of 1448 1412 rundll32.exe rundll32.exe PID 1448 wrote to memory of 1496 1448 rundll32.exe cmd.exe PID 1448 wrote to memory of 1496 1448 rundll32.exe cmd.exe PID 1448 wrote to memory of 1496 1448 rundll32.exe cmd.exe PID 1448 wrote to memory of 1496 1448 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.execmd /K3⤵PID:1496