Analysis
-
max time kernel
42s -
max time network
51s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 00:53
Static task
static1
Behavioral task
behavioral1
Sample
E1-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
E1-20191211_134358.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
E1-20191212_112720.dll
Resource
win10v20201028
Behavioral task
behavioral4
Sample
E1-20201223_211330.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
E2-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral6
Sample
E2-20191211_134358.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
E2-20210112_211117.dll
Resource
win10v20201028
Behavioral task
behavioral8
Sample
E3-20191210_102353.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
E3-20191210_121355.dll
Resource
win10v20201028
General
-
Target
E2-20210112_211117.dll
-
Size
326KB
-
MD5
0ee5c78c6e2ee9f8a8c201474fd03b2e
-
SHA1
b9ee4779a250c3b12178ea84bb406073acc1e65a
-
SHA256
2ddb9f69277cc1e2d2d2fe68462774b793dba5ef2c4857f4d7cc1023900c5f36
-
SHA512
081395800148b74f7c1a82948417e98a0016642a75e7e3c13e9255d66594550befe6f12dbd564ec6aa6ede01f53c45c97d7e9864c58762102ff6cf6d0d56a261
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 14 4172 rundll32.exe 18 4172 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Ixhgetgykewabpu\wurzoscfkilpbo.orx rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 4172 rundll32.exe 4172 rundll32.exe 4172 rundll32.exe 4172 rundll32.exe 4172 rundll32.exe 4172 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 4804 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 4648 wrote to memory of 4804 4648 rundll32.exe rundll32.exe PID 4648 wrote to memory of 4804 4648 rundll32.exe rundll32.exe PID 4648 wrote to memory of 4804 4648 rundll32.exe rundll32.exe PID 4804 wrote to memory of 4200 4804 rundll32.exe rundll32.exe PID 4804 wrote to memory of 4200 4804 rundll32.exe rundll32.exe PID 4804 wrote to memory of 4200 4804 rundll32.exe rundll32.exe PID 4200 wrote to memory of 4172 4200 rundll32.exe rundll32.exe PID 4200 wrote to memory of 4172 4200 rundll32.exe rundll32.exe PID 4200 wrote to memory of 4172 4200 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20210112_211117.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20210112_211117.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ixhgetgykewabpu\wurzoscfkilpbo.orx",PqhT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ixhgetgykewabpu\wurzoscfkilpbo.orx",#14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses