Analysis
-
max time kernel
143s -
max time network
57s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
02-08-2020 09:05
Static task
static1
Behavioral task
behavioral1
Sample
bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll
Resource
win7
Behavioral task
behavioral2
Sample
bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll
Resource
win10v200722
General
-
Target
bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll
-
Size
258KB
-
MD5
9070256c0531a143da6ee6697b5aa352
-
SHA1
54f313419abe2dd153b7d2e66f8270b2a459cd13
-
SHA256
bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751
-
SHA512
f9e22d2f730a699c4cde38b6bb35b16733864e17d3de109a667ebc3e8e057f6778ae5a62f597ffbde936cc8fc8b075814012890058364ee4a86ebb8649eeac40
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2356 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Internet Explorer.lnk" svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exesvchost.exepid process 2584 rundll32.exe 2584 rundll32.exe 2584 rundll32.exe 2584 rundll32.exe 2356 svchost.exe 2356 svchost.exe 2356 svchost.exe 2356 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exesvchost.exedescription pid process Token: SeDebugPrivilege 2584 rundll32.exe Token: SeDebugPrivilege 2356 svchost.exe Token: SeDebugPrivilege 2356 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2584 wrote to memory of 2356 2584 rundll32.exe svchost.exe PID 2584 wrote to memory of 2356 2584 rundll32.exe svchost.exe PID 2584 wrote to memory of 2356 2584 rundll32.exe svchost.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2356-0-0x0000020070540000-0x0000020070587000-memory.dmpFilesize
284KB
-
memory/2356-1-0x0000020070540000-0x0000020070587000-memory.dmpFilesize
284KB
-
memory/2356-2-0x0000020070540000-0x0000020070587000-memory.dmpFilesize
284KB
-
memory/2356-3-0x0000020070540000-0x0000020070587000-memory.dmpFilesize
284KB
-
memory/2356-4-0x0000020070540000-0x0000020070587000-memory.dmpFilesize
284KB
-
memory/2356-5-0x0000020070540000-0x0000020070587000-memory.dmpFilesize
284KB
-
memory/2356-6-0x0000020070540000-0x0000020070587000-memory.dmpFilesize
284KB