Analysis
-
max time kernel
129s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 10:47
Static task
static1
Behavioral task
behavioral1
Sample
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe
Resource
win7v20201028
General
-
Target
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe
-
Size
1.8MB
-
MD5
bbef6ebebc3e5783028e5d315f359fcf
-
SHA1
d2bc520851f23d3bdafbf338d8c0619935081862
-
SHA256
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725
-
SHA512
4fccce85d3eec403fc4eac1ec5e1e2830e000fda9d9d4a04dc60c7a45826d06f41eec6fa4ed054060143ae49205822cd80ce56ce9afc965bff95627038dc8184
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blacklisted process makes network request 1 IoCs
Processes:
RUNDLL32.EXEflow pid process 30 4052 RUNDLL32.EXE -
Executes dropped EXE 1 IoCs
Processes:
synrusykmpc.exepid process 3332 synrusykmpc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 200 rundll32.exe 200 rundll32.exe 4052 RUNDLL32.EXE 4052 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exepid process 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXE0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exepowershell.exeRUNDLL32.EXEpowershell.exepid process 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe 1076 powershell.exe 1076 powershell.exe 1076 powershell.exe 4052 RUNDLL32.EXE 4052 RUNDLL32.EXE 3748 powershell.exe 3748 powershell.exe 3748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 200 rundll32.exe Token: SeDebugPrivilege 4052 RUNDLL32.EXE Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 3748 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 4052 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.execmd.exesynrusykmpc.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 912 wrote to memory of 2688 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 912 wrote to memory of 2688 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 912 wrote to memory of 2688 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 912 wrote to memory of 3780 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 912 wrote to memory of 3780 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 912 wrote to memory of 3780 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 912 wrote to memory of 2404 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 912 wrote to memory of 2404 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 912 wrote to memory of 2404 912 0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe cmd.exe PID 2404 wrote to memory of 3332 2404 cmd.exe synrusykmpc.exe PID 2404 wrote to memory of 3332 2404 cmd.exe synrusykmpc.exe PID 2404 wrote to memory of 3332 2404 cmd.exe synrusykmpc.exe PID 3332 wrote to memory of 200 3332 synrusykmpc.exe rundll32.exe PID 3332 wrote to memory of 200 3332 synrusykmpc.exe rundll32.exe PID 3332 wrote to memory of 200 3332 synrusykmpc.exe rundll32.exe PID 200 wrote to memory of 4052 200 rundll32.exe RUNDLL32.EXE PID 200 wrote to memory of 4052 200 rundll32.exe RUNDLL32.EXE PID 200 wrote to memory of 4052 200 rundll32.exe RUNDLL32.EXE PID 4052 wrote to memory of 1076 4052 RUNDLL32.EXE powershell.exe PID 4052 wrote to memory of 1076 4052 RUNDLL32.EXE powershell.exe PID 4052 wrote to memory of 1076 4052 RUNDLL32.EXE powershell.exe PID 4052 wrote to memory of 3748 4052 RUNDLL32.EXE powershell.exe PID 4052 wrote to memory of 3748 4052 RUNDLL32.EXE powershell.exe PID 4052 wrote to memory of 3748 4052 RUNDLL32.EXE powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe"C:\Users\Admin\AppData\Local\Temp\0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\njooieqkywl.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\rvjthghq.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exe"C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3B4770~1.DLL,A C:\Users\Admin\AppData\Local\Temp\SYNRUS~1.EXE4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3B4770~1.DLL,SjYU5⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpF523.tmp.ps1"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp504.tmp.ps1"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
0f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1620de4e0618ef061ee4efa6e9f298c2
SHA14a12526d91c69142d268756a34601bf9563dee79
SHA256c99b78b6117d05f602d52c30c038141e53bed7835a557d91ddace9a7b7e225b4
SHA51259d874085b3538e03e431594d13c5f0b55e99170c86028bd7fe2065cee48dac8b3e24e6d13515dbfab9feca68b974b6c69df6149cf62ae0119bc78c26dda5515
-
C:\Users\Admin\AppData\Local\Temp\3B4770~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exeMD5
a33b9ec0c69e7fd92e4cd164525ba80d
SHA10bcb9110767e532c126b7a87d5fd575ce2674150
SHA256e3436e21f5a7e149a574d215edbf85f3853ad0e51db24081698fb891584dfd0e
SHA51237af035cc916f22bb0ee56c8324e693813b6fc23da9e47d6b5c96811ae9ab7777c31b38f350860037adfb87386b07f4c126c4c7d68e6a454d03d68bd26455cab
-
C:\Users\Admin\AppData\Local\Temp\synrusykmpc.exeMD5
a33b9ec0c69e7fd92e4cd164525ba80d
SHA10bcb9110767e532c126b7a87d5fd575ce2674150
SHA256e3436e21f5a7e149a574d215edbf85f3853ad0e51db24081698fb891584dfd0e
SHA51237af035cc916f22bb0ee56c8324e693813b6fc23da9e47d6b5c96811ae9ab7777c31b38f350860037adfb87386b07f4c126c4c7d68e6a454d03d68bd26455cab
-
C:\Users\Admin\AppData\Local\Temp\tmp504.tmp.ps1MD5
965715bed17aa399768fe259d71b8654
SHA19bae7e8fc9d28882d5811cd82cc5d8edac4b7d61
SHA256c80fb2c09c808e1942e89760cb3b3491378c7d5895a2ee093ef2dd7beb147203
SHA5125a3b37fffdc2aa8a5c0707eaa3ad8aaece550a625c23963aa1884611fe43d9d52d1fe8ca3eea29cfb67e786e98b788104e62dbff4612979a440b902cc12a27ca
-
C:\Users\Admin\AppData\Local\Temp\tmpF523.tmp.ps1MD5
90548453eb0005c0cfc523066506728e
SHA154cfc1e2e32985c245d6ca59e4f44ec4bf5e2f39
SHA2560ccc5e8b29a691db5216bc87987ca1ca2d86b7ac613bccfc00c3ea6de0a82caa
SHA512ae832f581200a8be1ed6997d772e067a8103808b47d61611108c90050d8201632b90e9ea59ecc2970125e1d0d68f62aad8aaa5a60896f1ef8b6332c80cb55ef3
-
\Users\Admin\AppData\Local\Temp\3B4770~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\3B4770~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\3B4770~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
\Users\Admin\AppData\Local\Temp\3B4770~1.DLLMD5
e808d8d7c58ba9976bef24c39d46d937
SHA1a9a0124804e066e5deac7eb01ad2766ab9421ff3
SHA2567a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820
SHA512a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63
-
memory/200-15-0x0000000004C90000-0x00000000052E8000-memory.dmpFilesize
6.3MB
-
memory/200-11-0x0000000000000000-mapping.dmp
-
memory/912-1-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/912-0-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/1076-33-0x0000000007410000-0x0000000007411000-memory.dmpFilesize
4KB
-
memory/1076-38-0x0000000007CF0000-0x0000000007CF1000-memory.dmpFilesize
4KB
-
memory/1076-28-0x0000000000000000-mapping.dmp
-
memory/1076-29-0x0000000070D40000-0x000000007142E000-memory.dmpFilesize
6.9MB
-
memory/1076-30-0x0000000004250000-0x0000000004251000-memory.dmpFilesize
4KB
-
memory/1076-31-0x0000000006D00000-0x0000000006D01000-memory.dmpFilesize
4KB
-
memory/1076-32-0x0000000006C40000-0x0000000006C41000-memory.dmpFilesize
4KB
-
memory/1076-37-0x0000000007F00000-0x0000000007F01000-memory.dmpFilesize
4KB
-
memory/1076-34-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/1076-35-0x0000000007580000-0x0000000007581000-memory.dmpFilesize
4KB
-
memory/1076-36-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/2404-4-0x0000000000000000-mapping.dmp
-
memory/2688-2-0x0000000000000000-mapping.dmp
-
memory/3332-10-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/3332-5-0x0000000000000000-mapping.dmp
-
memory/3332-6-0x0000000000000000-mapping.dmp
-
memory/3748-40-0x0000000000000000-mapping.dmp
-
memory/3748-42-0x0000000070820000-0x0000000070F0E000-memory.dmpFilesize
6.9MB
-
memory/3748-48-0x00000000078B0000-0x00000000078B1000-memory.dmpFilesize
4KB
-
memory/3748-51-0x0000000008270000-0x0000000008271000-memory.dmpFilesize
4KB
-
memory/3780-3-0x0000000000000000-mapping.dmp
-
memory/4052-24-0x0000000004B00000-0x0000000005158000-memory.dmpFilesize
6.3MB
-
memory/4052-21-0x0000000000000000-mapping.dmp