Analysis
-
max time kernel
79s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 05:23
Static task
static1
Behavioral task
behavioral1
Sample
5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3.dll
-
Size
68KB
-
MD5
0e9a211f76500fcb3f47f4ea3c94b1c5
-
SHA1
f92f1d121642844b1dab7eee204aa83a5ee0a1e2
-
SHA256
5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3
-
SHA512
15ccb1a92f48bcbd5b9043b9dc275170030a73ad5ffc9e55550a32cf3f2ac3379dc65b95851ec9c5bd643093b28f37dbb41fe2319af374a725e83a7a1870d76f
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rundll32.exedescription pid process Token: SeImpersonatePrivilege 576 rundll32.exe Token: SeTcbPrivilege 576 rundll32.exe Token: SeChangeNotifyPrivilege 576 rundll32.exe Token: SeCreateTokenPrivilege 576 rundll32.exe Token: SeBackupPrivilege 576 rundll32.exe Token: SeRestorePrivilege 576 rundll32.exe Token: SeIncreaseQuotaPrivilege 576 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 576 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 984 wrote to memory of 576 984 rundll32.exe rundll32.exe PID 984 wrote to memory of 576 984 rundll32.exe rundll32.exe PID 984 wrote to memory of 576 984 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
PID:576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/576-0-0x0000000000000000-mapping.dmp