Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows7_x64 -
resource
win7 -
submitted
08-09-2020 07:14
Static task
static1
Behavioral task
behavioral1
Sample
md.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
md.exe
-
Size
440KB
-
MD5
027cb4041c42ee1d56cd02830960fcc4
-
SHA1
5bff076221b7934b331384f02cb250dc51b59cea
-
SHA256
9ea8141b737b1dd5d56c800d4f84048014d83489f0fb3a78e42076a81186e30d
-
SHA512
c01a01d5af3fec7d0c7b15d739fec3cbeb27740cee33327bf15214ef6e0e14e70922abce5f405e68ec063d9bf5e31d5886fc0fc07852154d01c96aa142b24251
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1772 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1888 1772 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1888 WerFault.exe 1888 WerFault.exe 1888 WerFault.exe 1888 WerFault.exe 1888 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1888 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
md.exerundll32.exedescription pid process target process PID 1124 wrote to memory of 1772 1124 md.exe rundll32.exe PID 1124 wrote to memory of 1772 1124 md.exe rundll32.exe PID 1124 wrote to memory of 1772 1124 md.exe rundll32.exe PID 1124 wrote to memory of 1772 1124 md.exe rundll32.exe PID 1124 wrote to memory of 1772 1124 md.exe rundll32.exe PID 1124 wrote to memory of 1772 1124 md.exe rundll32.exe PID 1124 wrote to memory of 1772 1124 md.exe rundll32.exe PID 1772 wrote to memory of 1888 1772 rundll32.exe WerFault.exe PID 1772 wrote to memory of 1888 1772 rundll32.exe WerFault.exe PID 1772 wrote to memory of 1888 1772 rundll32.exe WerFault.exe PID 1772 wrote to memory of 1888 1772 rundll32.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\md.exe"C:\Users\Admin\AppData\Local\Temp\md.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe CuminFettucine,Uboats2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 2283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CuminFettucine.DLL
-
C:\Users\Admin\AppData\Local\Temp\Influenza
-
\Users\Admin\AppData\Local\Temp\CuminFettucine.dll
-
memory/1772-0-0x0000000000000000-mapping.dmp
-
memory/1772-6-0x0000000000000000-mapping.dmp
-
memory/1888-4-0x0000000000000000-mapping.dmp
-
memory/1888-5-0x0000000001E20000-0x0000000001E31000-memory.dmpFilesize
68KB
-
memory/1888-7-0x0000000002530000-0x0000000002541000-memory.dmpFilesize
68KB