Analysis
-
max time kernel
137s -
max time network
145s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 10:16
Static task
static1
Behavioral task
behavioral1
Sample
d9cbb1b75b2ec76764fa80ef4ff42382.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d9cbb1b75b2ec76764fa80ef4ff42382.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
d9cbb1b75b2ec76764fa80ef4ff42382.exe
-
Size
827KB
-
MD5
d9cbb1b75b2ec76764fa80ef4ff42382
-
SHA1
fc2c102ad05eda02088f21426a03257b095aab51
-
SHA256
5debeda2835def4c4f135d47aa5fc9d0ef39d5193e50a85b690332db62a8cafe
-
SHA512
ab8c5f63c39ed404e9ad28731107ad9405295207f80f2b8b2d7bc6b641da67400c29978845fcf97c6aed3981f5714c2f355c1dc40d1294b9a53185792458c5be
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1844 rundll32.exe 1844 rundll32.exe -
Blacklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 6 1844 rundll32.exe 10 1912 rundll32.exe -
NTFS ADS 1 IoCs
Processes:
d9cbb1b75b2ec76764fa80ef4ff42382.exedescription ioc process File created \??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier d9cbb1b75b2ec76764fa80ef4ff42382.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
REG.exeREG.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\cred = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\cred.dll, Main" REG.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\scr = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\scr.dll, Main" REG.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Loads dropped DLL 10 IoCs
Processes:
d9cbb1b75b2ec76764fa80ef4ff42382.exerundll32.exerundll32.exepid process 1496 d9cbb1b75b2ec76764fa80ef4ff42382.exe 1496 d9cbb1b75b2ec76764fa80ef4ff42382.exe 1844 rundll32.exe 1844 rundll32.exe 1844 rundll32.exe 1844 rundll32.exe 1912 rundll32.exe 1912 rundll32.exe 1912 rundll32.exe 1912 rundll32.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
d9cbb1b75b2ec76764fa80ef4ff42382.exebdif.execmd.exedescription pid process target process PID 1496 wrote to memory of 1600 1496 d9cbb1b75b2ec76764fa80ef4ff42382.exe bdif.exe PID 1496 wrote to memory of 1600 1496 d9cbb1b75b2ec76764fa80ef4ff42382.exe bdif.exe PID 1496 wrote to memory of 1600 1496 d9cbb1b75b2ec76764fa80ef4ff42382.exe bdif.exe PID 1496 wrote to memory of 1600 1496 d9cbb1b75b2ec76764fa80ef4ff42382.exe bdif.exe PID 1600 wrote to memory of 1764 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1764 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1764 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1764 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1844 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1844 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1844 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1844 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1844 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1844 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1844 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1916 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1916 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1916 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1916 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1912 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1912 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1912 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1912 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1912 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1912 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 1912 1600 bdif.exe rundll32.exe PID 1600 wrote to memory of 2012 1600 bdif.exe cmd.exe PID 1600 wrote to memory of 2012 1600 bdif.exe cmd.exe PID 1600 wrote to memory of 2012 1600 bdif.exe cmd.exe PID 1600 wrote to memory of 2012 1600 bdif.exe cmd.exe PID 1600 wrote to memory of 1212 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1212 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1212 1600 bdif.exe REG.exe PID 1600 wrote to memory of 1212 1600 bdif.exe REG.exe PID 2012 wrote to memory of 924 2012 cmd.exe schtasks.exe PID 2012 wrote to memory of 924 2012 cmd.exe schtasks.exe PID 2012 wrote to memory of 924 2012 cmd.exe schtasks.exe PID 2012 wrote to memory of 924 2012 cmd.exe schtasks.exe -
Executes dropped EXE 1 IoCs
Processes:
bdif.exepid process 1600 bdif.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9cbb1b75b2ec76764fa80ef4ff42382.exe"C:\Users\Admin\AppData\Local\Temp\d9cbb1b75b2ec76764fa80ef4ff42382.exe"1⤵
- NTFS ADS
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\1321ba6d1f\bdif.exec:\programdata\1321ba6d1f\bdif.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cred.dll, Main3⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\scr.dll, Main3⤵
- Blacklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1321ba6d1f\bdif.exe
-
C:\ProgramData\a174c1ef10e2077451f5b6dda83242a1
-
C:\Users\Admin\AppData\Local\Temp\cred.dll
-
C:\Users\Admin\AppData\Local\Temp\scr.dll
-
\ProgramData\1321ba6d1f\bdif.exe
-
\ProgramData\1321ba6d1f\bdif.exe
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\cred.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
\Users\Admin\AppData\Local\Temp\scr.dll
-
memory/924-21-0x0000000000000000-mapping.dmp
-
memory/1212-20-0x0000000000000000-mapping.dmp
-
memory/1600-2-0x0000000000000000-mapping.dmp
-
memory/1764-5-0x0000000000000000-mapping.dmp
-
memory/1844-6-0x0000000000000000-mapping.dmp
-
memory/1912-13-0x0000000000000000-mapping.dmp
-
memory/1916-12-0x0000000000000000-mapping.dmp
-
memory/2012-19-0x0000000000000000-mapping.dmp