Analysis
-
max time kernel
48s -
max time network
60s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 00:53
Static task
static1
Behavioral task
behavioral1
Sample
E1-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
E1-20191211_134358.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
E1-20191212_112720.dll
Resource
win10v20201028
Behavioral task
behavioral4
Sample
E1-20201223_211330.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
E2-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral6
Sample
E2-20191211_134358.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
E2-20210112_211117.dll
Resource
win10v20201028
Behavioral task
behavioral8
Sample
E3-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
E3-20191210_121355.dll
Resource
win10v20201028
General
-
Target
E1-20191212_112720.dll
-
Size
271KB
-
MD5
6d65571a1d5bb5ce2f3168dbcc6c12c9
-
SHA1
c5c2903fcdf700d27b240f834f1641b67fa352c7
-
SHA256
8fa8d19ca8875f370b5267c9e666f67d3eeb4ea55d061e6ac0aa618e8ac3d8de
-
SHA512
84732ad954375ee0d524c38cad5898cff8c8b1bdfb67c9ae7f8920c2c2f098871d7e1ee87c118c6cf1fd09cbad919a43897715112a1506139f62547ee74f04a3
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 10 2276 rundll32.exe 14 2276 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ywdbzlwia\nlmcsxpi.nlr rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 1332 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1144 wrote to memory of 1332 1144 rundll32.exe rundll32.exe PID 1144 wrote to memory of 1332 1144 rundll32.exe rundll32.exe PID 1144 wrote to memory of 1332 1144 rundll32.exe rundll32.exe PID 1332 wrote to memory of 2276 1332 rundll32.exe rundll32.exe PID 1332 wrote to memory of 2276 1332 rundll32.exe rundll32.exe PID 1332 wrote to memory of 2276 1332 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\E1-20191212_112720.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\E1-20191212_112720.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ywdbzlwia\nlmcsxpi.nlr",ShowDialogA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses