Overview

overview

8

Static

static

NoNet

windows10_x64

8

NoNet

windows10_x64

8

NoNet

windows10_x64

8

NoNet

windows10_x64

1

NoNet

windows10_x64

8

NoNet

windows10_x64

8

NoNet

windows10_x64

8

NoNet

windows10_x64

8

NoNet

windows10_x64

8

Analysis

  • max time kernel
    42s
  • max time network
    51s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E2-20210112_211117.dll

  • Size

    326KB

  • MD5

    0ee5c78c6e2ee9f8a8c201474fd03b2e

  • SHA1

    b9ee4779a250c3b12178ea84bb406073acc1e65a

  • SHA256

    2ddb9f69277cc1e2d2d2fe68462774b793dba5ef2c4857f4d7cc1023900c5f36

  • SHA512

    081395800148b74f7c1a82948417e98a0016642a75e7e3c13e9255d66594550befe6f12dbd564ec6aa6ede01f53c45c97d7e9864c58762102ff6cf6d0d56a261

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20210112_211117.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20210112_211117.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ixhgetgykewabpu\wurzoscfkilpbo.orx",PqhT
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4200
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ixhgetgykewabpu\wurzoscfkilpbo.orx",#1
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          PID:4172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4172-4-0x0000000000000000-mapping.dmp
    Download
  • memory/4200-3-0x0000000000000000-mapping.dmp
    Download
  • memory/4804-2-0x0000000000000000-mapping.dmp
    Download