Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows7_x64 -
resource
win7 -
submitted
02-08-2020 09:05
Static task
static1
Behavioral task
behavioral1
Sample
bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll
Resource
win7
Behavioral task
behavioral2
Sample
bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll
Resource
win10v200722
General
-
Target
bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll
-
Size
258KB
-
MD5
9070256c0531a143da6ee6697b5aa352
-
SHA1
54f313419abe2dd153b7d2e66f8270b2a459cd13
-
SHA256
bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751
-
SHA512
f9e22d2f730a699c4cde38b6bb35b16733864e17d3de109a667ebc3e8e057f6778ae5a62f597ffbde936cc8fc8b075814012890058364ee4a86ebb8649eeac40
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exetaskhost.exedescription pid process Token: SeDebugPrivilege 1124 rundll32.exe Token: SeDebugPrivilege 1184 taskhost.exe Token: SeDebugPrivilege 1184 taskhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1124 wrote to memory of 1184 1124 rundll32.exe taskhost.exe PID 1124 wrote to memory of 1184 1124 rundll32.exe taskhost.exe PID 1124 wrote to memory of 1184 1124 rundll32.exe taskhost.exe -
Deletes itself 1 IoCs
Processes:
taskhost.exepid process 1184 taskhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
taskhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run taskhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Internet Explorer.lnk" taskhost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exetaskhost.exepid process 1124 rundll32.exe 1184 taskhost.exe 1184 taskhost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll,#11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-0-0x0000000001DA0000-0x0000000001DE7000-memory.dmpFilesize
284KB
-
memory/1184-1-0x0000000001DA0000-0x0000000001DE7000-memory.dmpFilesize
284KB
-
memory/1184-2-0x0000000001DA0000-0x0000000001DE7000-memory.dmpFilesize
284KB
-
memory/1184-3-0x0000000001DA0000-0x0000000001DE7000-memory.dmpFilesize
284KB
-
memory/1184-4-0x0000000001DA0000-0x0000000001DE7000-memory.dmpFilesize
284KB
-
memory/1184-5-0x0000000001DA0000-0x0000000001DE7000-memory.dmpFilesize
284KB
-
memory/1184-6-0x0000000001DA0000-0x0000000001DE7000-memory.dmpFilesize
284KB