20d4f5c1aeb9db0c7be6a5c2c88216412225e8419d4374a0e50c92d81c5e67fc

Analysis

max time kernel
130s
max time network
18s
platform
windows7_x64
resource
win7v20201028
submitted
20-11-2020 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe
Size

4.6MB
MD5

2b850328e045c89a396af20bb10efe99
SHA1

277ac714f14b916fc1c6e8f45b9e8201cbb6c3e5
SHA256

20d4f5c1aeb9db0c7be6a5c2c88216412225e8419d4374a0e50c92d81c5e67fc
SHA512

0820697c24d729d6bdc227a6fa2fd6993265fc736daba86427eb9acb635cc8aba6b3a517384fe42ede40da2b1a1474c1273da3306309bbd724b9f38683b01450

Score

8^/10

discovery spyware

Malware Config

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

RUNDLL32.EXE

flow pid process

4 1532 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

1608 rundll32.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1608 rundll32.exe
1608 rundll32.exe
1608 rundll32.exe
1608 rundll32.exe
1532 RUNDLL32.EXE
1532 RUNDLL32.EXE
1532 RUNDLL32.EXE
1532 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
4	1532	RUNDLL32.EXE

pid	process
1608	rundll32.exe

pid	process
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1532	RUNDLL32.EXE
1532	RUNDLL32.EXE
1532	RUNDLL32.EXE
1532	RUNDLL32.EXE

Drops desktop.ini file(s) 7 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid process

1624 powershell.exe
1624 powershell.exe
1532 RUNDLL32.EXE
1532 RUNDLL32.EXE
1480 powershell.exe
1480 powershell.exe

pid	process
1624	powershell.exe
1624	powershell.exe
1532	RUNDLL32.EXE
1532	RUNDLL32.EXE
1480	powershell.exe
1480	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1608	rundll32.exe
Token: SeDebugPrivilege	1532	RUNDLL32.EXE
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

1532 RUNDLL32.EXE

pid	process
1532	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 1032 wrote to memory of 1608	1032	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 1608 wrote to memory of 1532	1608	rundll32.exe	RUNDLL32.EXE
PID 1608 wrote to memory of 1532	1608	rundll32.exe	RUNDLL32.EXE
PID 1608 wrote to memory of 1532	1608	rundll32.exe	RUNDLL32.EXE
PID 1608 wrote to memory of 1532	1608	rundll32.exe	RUNDLL32.EXE
PID 1608 wrote to memory of 1532	1608	rundll32.exe	RUNDLL32.EXE
PID 1608 wrote to memory of 1532	1608	rundll32.exe	RUNDLL32.EXE
PID 1608 wrote to memory of 1532	1608	rundll32.exe	RUNDLL32.EXE
PID 1532 wrote to memory of 1624	1532	RUNDLL32.EXE	powershell.exe
PID 1532 wrote to memory of 1624	1532	RUNDLL32.EXE	powershell.exe
PID 1532 wrote to memory of 1624	1532	RUNDLL32.EXE	powershell.exe
PID 1532 wrote to memory of 1624	1532	RUNDLL32.EXE	powershell.exe
PID 1532 wrote to memory of 1480	1532	RUNDLL32.EXE	powershell.exe
PID 1532 wrote to memory of 1480	1532	RUNDLL32.EXE	powershell.exe
PID 1532 wrote to memory of 1480	1532	RUNDLL32.EXE	powershell.exe
PID 1532 wrote to memory of 1480	1532	RUNDLL32.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A3D902~1.DLL,A C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A3D902~1.DLL,aQpfjBziAoD2
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4C1D.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp64DD.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C1D.tmp.ps1
MD5
f2e5a6322d75cc8db20a13be20dddf7c

SHA1
80981da28483ef69a9517ace6ec1b4043add2b4b

SHA256
5eef7d65c380e98829f3eccaba719c7da472c17542967015b3301d2cd903d98a

SHA512
f6da640c78c3adfbe4ab148e009cedc9229f6cb6d125986ff258edcea6a8bfab029a9108f32beee6d1a4451c73ef213c01063472c8ac1120720a2323dec6559a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64DD.tmp.ps1
MD5
b0586ac78b9619ed5069e2d97020d4ac

SHA1
8d2844a30154dd60d7f49594b82ffd139f1ce707

SHA256
f4b6d2189fca169ca795559d45b1ce8bad210cd1436be5b2f4ba3f154efefb45

SHA512
fada5bf7533ac2a7c4b2ab12ff87a47b0a6a3e311c34ace66b46e2ebc4e590376a9446aef6d44b94982bc4c5fb101e4ff33ed8fc90cc467e67f36102f2ab24a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
24dcad5c541ab4e91ec479dde0800b18

SHA1
61db7bee8f6146ceba6f4a942632ab3dadc48372

SHA256
e1604302a08394fedb0bd0c405b806ccfabd95c1f456126f134de1693ac6ae6a

SHA512
5ae3de3354b1b3636dcec17677ce5958756f1e2440fb46d01b27950e19781631aa4265c3e5a7cf66f5b642c1f2c47b6af0ced52dd4f0b6e80fa0048ed538eeff

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\A3D902~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
memory/1012-25-0x000007FEF6380000-0x000007FEF65FA000-memory.dmp

Filesize
2.5MB

Download
memory/1032-0-0x0000000004E70000-0x00000000052F4000-memory.dmp

Filesize
4.5MB

Download
memory/1032-1-0x0000000005300000-0x0000000005311000-memory.dmp

Filesize
68KB

Download
memory/1480-39-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/1480-38-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1480-37-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1480-36-0x0000000072B50000-0x000000007323E000-memory.dmp

Filesize
6.9MB

Download
memory/1480-40-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/1480-33-0x0000000000000000-mapping.dmp

Download
memory/1532-24-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1532-21-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1532-9-0x0000000000000000-mapping.dmp

Download
memory/1532-14-0x0000000002A40000-0x0000000003098000-memory.dmp

Filesize
6.3MB

Download
memory/1532-22-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1532-20-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1532-23-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1532-19-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1608-8-0x00000000025E0000-0x0000000002C38000-memory.dmp

Filesize
6.3MB

Download
memory/1608-2-0x0000000000000000-mapping.dmp

Download
memory/1624-26-0x0000000000000000-mapping.dmp

Download
memory/1624-31-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1624-27-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/1624-30-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/1624-29-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1624-28-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download