20d4f5c1aeb9db0c7be6a5c2c88216412225e8419d4374a0e50c92d81c5e67fc

Analysis

max time kernel
129s
max time network
93s
platform
windows10_x64
resource
win10v20201028
submitted
20-11-2020 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe
Size

4.6MB
MD5

2b850328e045c89a396af20bb10efe99
SHA1

277ac714f14b916fc1c6e8f45b9e8201cbb6c3e5
SHA256

20d4f5c1aeb9db0c7be6a5c2c88216412225e8419d4374a0e50c92d81c5e67fc
SHA512

0820697c24d729d6bdc227a6fa2fd6993265fc736daba86427eb9acb635cc8aba6b3a517384fe42ede40da2b1a1474c1273da3306309bbd724b9f38683b01450

Score

8^/10

discovery spyware

Malware Config

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

RUNDLL32.EXE

flow pid process

8 2904 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

836 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

836 rundll32.exe
836 rundll32.exe
2904 RUNDLL32.EXE
2904 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
8	2904	RUNDLL32.EXE

pid	process
836	rundll32.exe

pid	process
836	rundll32.exe
836	rundll32.exe
2904	RUNDLL32.EXE
2904	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
2904	RUNDLL32.EXE
2904	RUNDLL32.EXE
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	836	rundll32.exe
Token: SeDebugPrivilege	2904	RUNDLL32.EXE
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2904 RUNDLL32.EXE

pid	process
2904	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 884 wrote to memory of 836	884	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 884 wrote to memory of 836	884	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 884 wrote to memory of 836	884	SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe	rundll32.exe
PID 836 wrote to memory of 2904	836	rundll32.exe	RUNDLL32.EXE
PID 836 wrote to memory of 2904	836	rundll32.exe	RUNDLL32.EXE
PID 836 wrote to memory of 2904	836	rundll32.exe	RUNDLL32.EXE
PID 2904 wrote to memory of 4068	2904	RUNDLL32.EXE	powershell.exe
PID 2904 wrote to memory of 4068	2904	RUNDLL32.EXE	powershell.exe
PID 2904 wrote to memory of 4068	2904	RUNDLL32.EXE	powershell.exe
PID 2904 wrote to memory of 1800	2904	RUNDLL32.EXE	powershell.exe
PID 2904 wrote to memory of 1800	2904	RUNDLL32.EXE	powershell.exe
PID 2904 wrote to memory of 1800	2904	RUNDLL32.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.rc.24109.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\076B28~1.DLL,A C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\076B28~1.DLL,Y14FfI0=
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8524.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9CA5.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
148306963e5f31698c5b1fca414c4bb6

SHA1
680fece2edb6a160bbf238b9c79c1048fff19452

SHA256
a33a709be227822aebbd0d38c4ff923c2cd260407d4a205ce13a3eecebc1512d

SHA512
47b9e6050a92f9ed9f3e83e02686d75eb07a1c814443ec80011db3ceacda31ddc894e67edcc2912f71c77dda3404eee004145a2b3d855e8abb4ec813db352a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\076B28~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8524.tmp.ps1
MD5
e826f6ac34d130553d849af9eba639eb

SHA1
c796f092c3e9af5b85b32ad9a5c2fb1753b03afe

SHA256
1e72f1d6046641259790f1ecda63a19791cd8559e2b8153fec1df2adac24495d

SHA512
1a198360587a55ae14fd960639c7f7acd2fcbbe60cba3c558c7cd032db48f737b5b45f6531d646682dba3a020226f620fe824f557b57ca50bb07fc6065f8b80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CA5.tmp.ps1
MD5
6b913a0189de147762d9dfda14b7d66b

SHA1
54c314e41b7d9b25e9b2ee14f2dc4a4c96a82c9e

SHA256
5b5adbe0070ce51b120ea6b445be84fe2636ec05269f5da079510fe5acb931bc

SHA512
1ffc11ce0928a1b561aedb8b0fcf9f34daacafe34e70214a078f7a22ac5f5f6645e6b7e658086650f4c32bdf14a803110cddc4f38c98cf022926abf44df6e597

Download Submit
\Users\Admin\AppData\Local\Temp\076B28~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\076B28~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\076B28~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
\Users\Admin\AppData\Local\Temp\076B28~1.DLL
MD5
e808d8d7c58ba9976bef24c39d46d937

SHA1
a9a0124804e066e5deac7eb01ad2766ab9421ff3

SHA256
7a9c21fbb90a59cf1e3f441da1bb50747d3640848b4e81633d681c4dcd3f2820

SHA512
a396b44f79189a6c1cdae213d24c2ce414248dd199dd5e82c44c6b3a09d8e6a15a1740ef32423b4a1aa79bd3a0abaa20c27a0b7e0acc45669c0771d56e06cf63

Download Submit
memory/836-6-0x0000000004B60000-0x00000000051B8000-memory.dmp

Filesize
6.3MB

Download
memory/836-2-0x0000000000000000-mapping.dmp

Download
memory/884-1-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1800-45-0x0000000008470000-0x0000000008471000-memory.dmp

Filesize
4KB

Download
memory/1800-42-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/1800-36-0x0000000070EC0000-0x00000000715AE000-memory.dmp

Filesize
6.9MB

Download
memory/1800-34-0x0000000000000000-mapping.dmp

Download
memory/2904-15-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/2904-21-0x0000000005310000-0x0000000005411000-memory.dmp

Filesize
1.0MB

Download
memory/2904-10-0x0000000004A60000-0x00000000050B8000-memory.dmp

Filesize
6.3MB

Download
memory/2904-7-0x0000000000000000-mapping.dmp

Download
memory/4068-24-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/4068-31-0x0000000008820000-0x0000000008821000-memory.dmp

Filesize
4KB

Download
memory/4068-32-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4068-30-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/4068-29-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/4068-28-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/4068-27-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/4068-26-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/4068-25-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/4068-23-0x0000000071520000-0x0000000071C0E000-memory.dmp

Filesize
6.9MB

Download
memory/4068-22-0x0000000000000000-mapping.dmp

Download