Analysis
-
max time kernel
44s -
max time network
96s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 13:24
Static task
static1
Behavioral task
behavioral1
Sample
kpryt.bin.dll
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
kpryt.bin.dll
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
kpryt.bin.dll
-
Size
554KB
-
MD5
5c09c68b5bb3996f903218bc0e101025
-
SHA1
d566450d11dff5ac3611c4215b28fef2a14a0d8c
-
SHA256
21989a16f64302716a565599f469f5a97fb4a1b14ff6ed1896d2650866e12d6c
-
SHA512
fd83ff5d4514629fabf2e3d88a536604b235c9f48d756816829650737687b73ec7ddc98782771720b2d9c843764f7893e7f3bf6f7f9bbdad1958cce53d9658b9
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1088 wrote to memory of 1068 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1068 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1068 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1068 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1068 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1068 1088 rundll32.exe rundll32.exe PID 1088 wrote to memory of 1068 1088 rundll32.exe rundll32.exe -
Blacklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 4 1068 rundll32.exe 6 1068 rundll32.exe 8 1068 rundll32.exe -
Donot APT Downloader
A downloader used by Donot APT group to download further modules.
-
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\kpryt.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\kpryt.bin.dll,#12⤵
- Blacklisted process makes network request
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1068-0-0x0000000000000000-mapping.dmp