Analysis
-
max time kernel
55s -
max time network
57s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 00:53
Static task
static1
Behavioral task
behavioral1
Sample
E1-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
E1-20191211_134358.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
E1-20191212_112720.dll
Resource
win10v20201028
Behavioral task
behavioral4
Sample
E1-20201223_211330.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
E2-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral6
Sample
E2-20191211_134358.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
E2-20210112_211117.dll
Resource
win10v20201028
Behavioral task
behavioral8
Sample
E3-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
E3-20191210_121355.dll
Resource
win10v20201028
General
-
Target
E2-20191211_134358.dll
-
Size
269KB
-
MD5
2c177c13a67a7a8ce5e2c5a0312e3223
-
SHA1
1158b27db357ba36fc3922d0f85d7be3ab3f3aa7
-
SHA256
2bffe5e50c10299a36490f0c0ab76c4b31acbd111e52684bb141d1bc267493ae
-
SHA512
8a0684acf5ac3d079104a6684c0ab1d32728008295417b36f56572178e83ba08ca47ce31a1a0f9d47b79ec8b4036c7437b3ff8d5e79cf5b2ebbfeb1d1b063925
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 12 868 rundll32.exe 15 868 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Wddlcwtjzt\dxrpiqoto.wnu rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 1180 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 60 wrote to memory of 1180 60 rundll32.exe rundll32.exe PID 60 wrote to memory of 1180 60 rundll32.exe rundll32.exe PID 60 wrote to memory of 1180 60 rundll32.exe rundll32.exe PID 1180 wrote to memory of 868 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 868 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 868 1180 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20191211_134358.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20191211_134358.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wddlcwtjzt\dxrpiqoto.wnu",ShowDialogA3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses