Analysis
-
max time kernel
10s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 14:30
Static task
static1
Behavioral task
behavioral1
Sample
24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll
Resource
win10v20201028
General
-
Target
24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll
-
Size
1.6MB
-
MD5
11ebdce88a124b803dbae051ec56e8d3
-
SHA1
7616165d2eddc7b6a89fc900ed5dbf5713f87351
-
SHA256
24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6
-
SHA512
647198bcfcbcf53062c69d88f403fb2c6ac15df9ee753c3fa7cf4cffee068e230399ab404c3092145354d7573ba496aff9bacf80457de5bfa71df4e070ab0f8b
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Modifies service 2 TTPs 11 IoCs
Processes:
rundll32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Description = "@%SystemRoot%\\system32\\Sens.dll,-201" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\ObjectName = "LocalSystem" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\Parameters rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Parameters\ServiceDll = "C:\\USERS\\ADMIN\\APPDATA\\LOCAL\\TEMP\\24FF7026FC4C06E06F7188C44A5E2D44眀" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Start = "2" rundll32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\DisplayName = "@%SystemRoot%\\system32\\Sens.dll,-200" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Group = "ProfSvc_Group" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\ErrorControl = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Type = "272" rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 1056 wrote to memory of 1344 1056 rundll32.exe 71 PID 1056 wrote to memory of 1344 1056 rundll32.exe 71 PID 1056 wrote to memory of 1344 1056 rundll32.exe 71
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll,#12⤵
- Checks BIOS information in registry
- Modifies service
- Checks processor information in registry
- Enumerates system info in registry
PID:1344
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵PID:3292