Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 09:51
Static task
static1
Behavioral task
behavioral1
Sample
literary.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
literary.dll
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
literary.dll
-
Size
282KB
-
MD5
2ad76998fa6e595b62a77df8a5fe7e1b
-
SHA1
8f179f26412a2df01f273796020133d182ee8bba
-
SHA256
0c8569e4304f46352b041dcb692f85c9e195130db2013d4f2216130603478035
-
SHA512
99bd1c1070c8a01dc26541ee3da5d218cae362be3d4410af316707339e62df2092fd57ec0eb3b8ec5599b3e54a6eecd28740317b87c90f72d0502444a442983a
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avoc = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Fabeda\\teudaw.dll" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2088 set thread context of 2200 2088 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2200 msiexec.exe Token: SeSecurityPrivilege 2200 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3768 wrote to memory of 2088 3768 rundll32.exe rundll32.exe PID 3768 wrote to memory of 2088 3768 rundll32.exe rundll32.exe PID 3768 wrote to memory of 2088 3768 rundll32.exe rundll32.exe PID 2088 wrote to memory of 2200 2088 rundll32.exe msiexec.exe PID 2088 wrote to memory of 2200 2088 rundll32.exe msiexec.exe PID 2088 wrote to memory of 2200 2088 rundll32.exe msiexec.exe PID 2088 wrote to memory of 2200 2088 rundll32.exe msiexec.exe PID 2088 wrote to memory of 2200 2088 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\literary.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\literary.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken