Analysis
-
max time kernel
4s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 13:54
Static task
static1
Behavioral task
behavioral1
Sample
Shipping INVOICE-BL Shipment..exe
Resource
win7v20201028
General
-
Target
Shipping INVOICE-BL Shipment..exe
-
Size
427KB
-
MD5
579ba39b6a146080ef6481591440e445
-
SHA1
06bfc3b47e1ad6a35e10cb4a1edee6c563710107
-
SHA256
d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1
-
SHA512
bc2c920da35971ea6a6dfa8fc4f49829d6ba1eeae9589207b1f77a6e5f66d66dcb87396aadce266a61652f6fdfbe40503b9183af5f5ce26fa6cc9218df1597b9
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1028 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1708 1028 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1708 WerFault.exe 1708 WerFault.exe 1708 WerFault.exe 1708 WerFault.exe 1708 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1708 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Shipping INVOICE-BL Shipment..exerundll32.exedescription pid process target process PID 1688 wrote to memory of 1028 1688 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 1688 wrote to memory of 1028 1688 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 1688 wrote to memory of 1028 1688 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 1688 wrote to memory of 1028 1688 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 1688 wrote to memory of 1028 1688 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 1688 wrote to memory of 1028 1688 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 1688 wrote to memory of 1028 1688 Shipping INVOICE-BL Shipment..exe rundll32.exe PID 1028 wrote to memory of 1708 1028 rundll32.exe WerFault.exe PID 1028 wrote to memory of 1708 1028 rundll32.exe WerFault.exe PID 1028 wrote to memory of 1708 1028 rundll32.exe WerFault.exe PID 1028 wrote to memory of 1708 1028 rundll32.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping INVOICE-BL Shipment..exe"C:\Users\Admin\AppData\Local\Temp\Shipping INVOICE-BL Shipment..exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe Prehnite,Lychnises2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 2643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ErodiumMD5
980a6b092855d202363b6436e4a854e8
SHA1aa8e1a7e1ab7832c3112e5c35b7da143ff919ce0
SHA256f617d029f947ebb5c0b7b159233e699f5653a1f92e81f9fe44c60555884dc93c
SHA5126dedf42a718dbc5a4ad25c20561c3adc0fc629d1135aa68d02fc264363617c827fe7eaa0dd49e828df93d80852b4e5aa8c932b20d43ff833c02c4b868df30367
-
C:\Users\Admin\AppData\Local\Temp\Prehnite.DLLMD5
f8aa685a3908110e79f4639aa7daddfa
SHA1dd4d16172ea4851f757abd34a8cb3c835552e6a3
SHA256aeea4b86ea607cf9820e3cadd4e98353a57ec789ec0a0e2fefbdd84abd25194a
SHA5128989a1e5a29043a8cec9353d8923dc7fca52988949637133d5af5f655b04c8016ef8930da4f57a9c068b8e9208c4b8ae2bdaca9ca699755d139cab0ed2a3c5a6
-
\Users\Admin\AppData\Local\Temp\Prehnite.dllMD5
f8aa685a3908110e79f4639aa7daddfa
SHA1dd4d16172ea4851f757abd34a8cb3c835552e6a3
SHA256aeea4b86ea607cf9820e3cadd4e98353a57ec789ec0a0e2fefbdd84abd25194a
SHA5128989a1e5a29043a8cec9353d8923dc7fca52988949637133d5af5f655b04c8016ef8930da4f57a9c068b8e9208c4b8ae2bdaca9ca699755d139cab0ed2a3c5a6
-
memory/1028-0-0x0000000000000000-mapping.dmp
-
memory/1028-6-0x0000000000000000-mapping.dmp
-
memory/1708-4-0x0000000000000000-mapping.dmp
-
memory/1708-5-0x00000000022F0000-0x0000000002301000-memory.dmpFilesize
68KB
-
memory/1708-7-0x0000000002540000-0x0000000002551000-memory.dmpFilesize
68KB