Overview

overview

8

Static

static

06456edb20...98.dll

windows7_x64

8

06456edb20...98.dll

windows10_x64

8

Resubmissions

22-01-2021 13:50

210122-8mzgcvqz7j 8

22-01-2021 13:30

210122-9kfvyp6lrx 8

22-01-2021 13:27

210122-t61ddv7plj 10

Analysis

  • max time kernel
    127s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-01-2021 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll

  • Size

    7.5MB

  • MD5

    d88626469337e68200907f9c3573eb04

  • SHA1

    9ac4991a8518166ac9b11bfca02045ba1c7822fd

  • SHA256

    06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698

  • SHA512

    e6fbd55aeecf8d03bb621311918ddff34ed254ed580e4d2ce2d254f23c6dcfadb64f6701e61bd921042100f7f06ee112d7348d8c7ff0ba014a2a2ea8d8e28175

Score
8/10
discoveryransomwarespyware

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll,eC9J
        3⤵
        • Blocklisted process makes network request
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp54AD.tmp.ps1"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3452
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6E04.tmp.ps1"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Windows\SysWOW64\nslookup.exe
            "C:\Windows\system32\nslookup.exe" -type=any localhost
            5⤵
              PID:2668
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
            4⤵
              PID:2280
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              4⤵
                PID:3928

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/640-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/640-7-0x0000000004180000-0x0000000004902000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/640-8-0x00000000058C1000-0x0000000005F1E000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/648-40-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/648-53-0x0000000006EA3000-0x0000000006EA4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/648-45-0x0000000006EA2000-0x0000000006EA3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/648-44-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/648-43-0x0000000008160000-0x0000000008161000-memory.dmp

          Filesize

          4KB

          Download

        • memory/648-34-0x0000000070AF0000-0x00000000711DE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2936-10-0x0000000004DB0000-0x0000000005532000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/2936-11-0x00000000064A1000-0x0000000006AFE000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/3452-23-0x00000000088C0000-0x00000000088C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-15-0x0000000007630000-0x0000000007631000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-29-0x0000000009750000-0x0000000009751000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-14-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-31-0x0000000004B63000-0x0000000004B64000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-27-0x0000000009F20000-0x0000000009F21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-13-0x0000000071150000-0x000000007183E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3452-26-0x00000000087E0000-0x00000000087E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-28-0x00000000094B0000-0x00000000094B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-24-0x00000000086B0000-0x00000000086B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-16-0x0000000004B60000-0x0000000004B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-22-0x0000000008440000-0x0000000008441000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-21-0x0000000008030000-0x0000000008031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-20-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-19-0x0000000007D70000-0x0000000007D71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-18-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-17-0x0000000004B62000-0x0000000004B63000-memory.dmp

          Filesize

          4KB

          Download