Analysis
-
max time kernel
137s -
max time network
138s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 10:03
Static task
static1
Behavioral task
behavioral1
Sample
633cd326ca9d43b7ce9165f0d16e0b91.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
633cd326ca9d43b7ce9165f0d16e0b91.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
633cd326ca9d43b7ce9165f0d16e0b91.exe
-
Size
827KB
-
MD5
633cd326ca9d43b7ce9165f0d16e0b91
-
SHA1
0289f2187c7d04885c58591682fb0ee777d141b1
-
SHA256
a8cb739dc56d68cf6124b2f5befa57f906d43bfdf7bc314aded4d601ebd51297
-
SHA512
c1be333b65fe2df027c0d3de4a8ab51dac9c7a262322d2d9e54b0f93411799c2cc699402d7197a530f641bcf0d365141995e520c5557ba2caaed0a53260dec6c
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bdif.exepid process 1488 bdif.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1800 rundll32.exe 1800 rundll32.exe -
Blacklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 5 1800 rundll32.exe 9 1784 rundll32.exe -
NTFS ADS 1 IoCs
Processes:
633cd326ca9d43b7ce9165f0d16e0b91.exedescription ioc process File created \??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier 633cd326ca9d43b7ce9165f0d16e0b91.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
REG.exeREG.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\cred = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\cred.dll, Main" REG.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\scr = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\scr.dll, Main" REG.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Loads dropped DLL 10 IoCs
Processes:
633cd326ca9d43b7ce9165f0d16e0b91.exerundll32.exerundll32.exepid process 1424 633cd326ca9d43b7ce9165f0d16e0b91.exe 1424 633cd326ca9d43b7ce9165f0d16e0b91.exe 1800 rundll32.exe 1800 rundll32.exe 1800 rundll32.exe 1800 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
633cd326ca9d43b7ce9165f0d16e0b91.exebdif.execmd.exedescription pid process target process PID 1424 wrote to memory of 1488 1424 633cd326ca9d43b7ce9165f0d16e0b91.exe bdif.exe PID 1424 wrote to memory of 1488 1424 633cd326ca9d43b7ce9165f0d16e0b91.exe bdif.exe PID 1424 wrote to memory of 1488 1424 633cd326ca9d43b7ce9165f0d16e0b91.exe bdif.exe PID 1424 wrote to memory of 1488 1424 633cd326ca9d43b7ce9165f0d16e0b91.exe bdif.exe PID 1488 wrote to memory of 1796 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1796 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1796 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1796 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1800 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1800 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1800 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1800 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1800 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1800 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1800 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1756 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1756 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1756 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1756 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1784 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1784 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1784 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1784 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1784 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1784 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 1784 1488 bdif.exe rundll32.exe PID 1488 wrote to memory of 2036 1488 bdif.exe cmd.exe PID 1488 wrote to memory of 2036 1488 bdif.exe cmd.exe PID 1488 wrote to memory of 2036 1488 bdif.exe cmd.exe PID 1488 wrote to memory of 2036 1488 bdif.exe cmd.exe PID 1488 wrote to memory of 1052 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1052 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1052 1488 bdif.exe REG.exe PID 1488 wrote to memory of 1052 1488 bdif.exe REG.exe PID 2036 wrote to memory of 316 2036 cmd.exe schtasks.exe PID 2036 wrote to memory of 316 2036 cmd.exe schtasks.exe PID 2036 wrote to memory of 316 2036 cmd.exe schtasks.exe PID 2036 wrote to memory of 316 2036 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\633cd326ca9d43b7ce9165f0d16e0b91.exe"C:\Users\Admin\AppData\Local\Temp\633cd326ca9d43b7ce9165f0d16e0b91.exe"1⤵
- NTFS ADS
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\1321ba6d1f\bdif.exec:\programdata\1321ba6d1f\bdif.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cred.dll, Main3⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\scr.dll, Main3⤵
- Blacklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1321ba6d1f\bdif.exe
-
C:\ProgramData\a174c1ef10e2077451f5b6dda83242a1
-
C:\Users\Admin\AppData\Local\Temp\cred.dll
-
C:\Users\Admin\AppData\Local\Temp\scr.dll
-
\ProgramData\1321ba6d1f\bdif.exe
-
\ProgramData\1321ba6d1f\bdif.exe
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
memory/316-21-0x0000000000000000-mapping.dmp
-
memory/1052-20-0x0000000000000000-mapping.dmp
-
memory/1488-2-0x0000000000000000-mapping.dmp
-
memory/1756-12-0x0000000000000000-mapping.dmp
-
memory/1784-13-0x0000000000000000-mapping.dmp
-
memory/1796-5-0x0000000000000000-mapping.dmp
-
memory/1800-6-0x0000000000000000-mapping.dmp
-
memory/2036-19-0x0000000000000000-mapping.dmp