Analysis
-
max time kernel
5s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 14:47
Static task
static1
Behavioral task
behavioral1
Sample
372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef.dll
Resource
win10v20201028
General
-
Target
372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef.dll
-
Size
846KB
-
MD5
85003057fbddd3468478adc04a1b50cd
-
SHA1
acdd39a0d8068bfc4a16a0193c90eae85a5831fa
-
SHA256
372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef
-
SHA512
989f0738855e83b3ec9d97a7c9f93c0362285393cb1b7a266d6d1287bffad97c3a674c1738d1d0dc32c9751f68025da34f176a9bcc81c27b39fc1accdbbabb06
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 4 2000 rundll32.exe -
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\BGqsnKHv.dll upx -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2000 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\LHxJEClUpdc.sys rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 2000 rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
rundll32.exepid process 2000 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2000 rundll32.exe Token: SeLoadDriverPrivilege 2000 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1852 wrote to memory of 2000 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 2000 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 2000 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 2000 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 2000 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 2000 1852 rundll32.exe rundll32.exe PID 1852 wrote to memory of 2000 1852 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef.dll,#12⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\BGqsnKHv.dllMD5
c637559fada3fe53e5a6f8dcc0a5bf4f
SHA1265af8613fef8024190e6e49b1b24cf34060d86b
SHA2569d7fc881646ba2db7023ed8f0857c1a82df0d81ebef839d20063a027fe4b9e7d
SHA512fc0a32bb05b3b4ff96382d0c3d1857b1eb70c4e9030073c33579998f1fca40c8dcd6b2960c329c9845af5aa245566577198fa18e9c1985850038e84af1ac56ce
-
memory/2000-2-0x0000000000000000-mapping.dmp
-
memory/2000-3-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB
-
memory/2000-5-0x0000000000100000-0x0000000000103000-memory.dmpFilesize
12KB