Overview

overview

8

Static

static

06456edb20...98.dll

windows7_x64

8

06456edb20...98.dll

windows10_x64

8

Resubmissions

22-01-2021 13:50

210122-8mzgcvqz7j 8

22-01-2021 13:30

210122-9kfvyp6lrx 8

22-01-2021 13:27

210122-t61ddv7plj 10

Analysis

  • max time kernel
    127s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-01-2021 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll

  • Size

    7.5MB

  • MD5

    d88626469337e68200907f9c3573eb04

  • SHA1

    9ac4991a8518166ac9b11bfca02045ba1c7822fd

  • SHA256

    06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698

  • SHA512

    e6fbd55aeecf8d03bb621311918ddff34ed254ed580e4d2ce2d254f23c6dcfadb64f6701e61bd921042100f7f06ee112d7348d8c7ff0ba014a2a2ea8d8e28175

Score
8/10
discoveryransomwarespyware

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll,eC9J
        3⤵
        • Blocklisted process makes network request
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp54AD.tmp.ps1"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3452
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6E04.tmp.ps1"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Windows\SysWOW64\nslookup.exe
            "C:\Windows\system32\nslookup.exe" -type=any localhost
            5⤵
              PID:2668
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
            4⤵
              PID:2280
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              4⤵
                PID:3928

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          MD5

          47eebe401625bbc55e75dbfb72e9e89a

          SHA1

          db3b2135942d2532c59b9788253638eb77e5995e

          SHA256

          f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

          SHA512

          590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          19d57a3324590b202b143397934c6c85

          SHA1

          57cdf991a54b5786df26474aab4916b2093d5991

          SHA256

          0207feeb1b960803fbcfca3706a3fea635fa66fd591f6679ea2c4a7d2010257c

          SHA512

          a489ba3ee598667e211bde07b7b81d3dae61a2c6cfcb7a4b5ae8021077b74a1013c0fa2898e78e992389ad93e3e3be30a0c631a60e9664f04c332e808a6eb53f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp54AD.tmp.ps1
          MD5

          65a5a687fbe1797238ddcac533be15a8

          SHA1

          276d1dcdeb312196a7eb77bc665d55e13b303060

          SHA256

          04a5f08c6b26f7185321818443b6ab17b47cf51b5fb1c2f163e254f52c7dc2e7

          SHA512

          1d6ac9f9210ea05865f20075aaf1fcfb1761b7b867b3c67c3ed9912b18b8d2c02ad984023381e971d4b80dacf81114a5d3ae0b10461b9038669eb7cbb47c9119

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp54AE.tmp
          MD5

          c416c12d1b2b1da8c8655e393b544362

          SHA1

          fb1a43cd8e1c556c2d25f361f42a21293c29e447

          SHA256

          0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

          SHA512

          cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp6E04.tmp.ps1
          MD5

          f606452345b50838d9c61619f42b9b4b

          SHA1

          016d5aa2c82adfd8943ba4475e2e9ec64e294e3e

          SHA256

          59842052015ccb6733583a58194a0ceb395769d19f79a99e0d318e9505bbe059

          SHA512

          cfd5258a27efb268cd84b1e4f129f285b8164c74c895db6a52e402f852c7f37cbf1138c02145234272c82028d1133abc0b67fbaaf07f920521a77b24916f334d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp6E05.tmp
          MD5

          1860260b2697808b80802352fe324782

          SHA1

          f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

          SHA256

          0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

          SHA512

          d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

          Download Submit
        • memory/640-3-0x00000000003E0000-0x00000000003E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-7-0x0000000004180000-0x0000000004902000-memory.dmp
          Filesize

          7.5MB

          Download
        • memory/640-8-0x00000000058C1000-0x0000000005F1E000-memory.dmp
          Filesize

          6.4MB

          Download
        • memory/640-2-0x0000000000000000-mapping.dmp
          Download
        • memory/648-40-0x0000000007CF0000-0x0000000007CF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/648-32-0x0000000000000000-mapping.dmp
          Download
        • memory/648-53-0x0000000006EA3000-0x0000000006EA4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/648-45-0x0000000006EA2000-0x0000000006EA3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/648-44-0x0000000006EA0000-0x0000000006EA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/648-43-0x0000000008160000-0x0000000008161000-memory.dmp
          Filesize

          4KB

          Download
        • memory/648-34-0x0000000070AF0000-0x00000000711DE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2280-52-0x0000000000000000-mapping.dmp
          Download
        • memory/2668-50-0x0000000000000000-mapping.dmp
          Download
        • memory/2936-6-0x0000000000000000-mapping.dmp
          Download
        • memory/2936-10-0x0000000004DB0000-0x0000000005532000-memory.dmp
          Filesize

          7.5MB

          Download
        • memory/2936-11-0x00000000064A1000-0x0000000006AFE000-memory.dmp
          Filesize

          6.4MB

          Download
        • memory/3452-23-0x00000000088C0000-0x00000000088C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-15-0x0000000007630000-0x0000000007631000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-29-0x0000000009750000-0x0000000009751000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-14-0x0000000006FC0000-0x0000000006FC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-31-0x0000000004B63000-0x0000000004B64000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-27-0x0000000009F20000-0x0000000009F21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-13-0x0000000071150000-0x000000007183E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3452-26-0x00000000087E0000-0x00000000087E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-12-0x0000000000000000-mapping.dmp
          Download
        • memory/3452-28-0x00000000094B0000-0x00000000094B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-24-0x00000000086B0000-0x00000000086B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-16-0x0000000004B60000-0x0000000004B61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-22-0x0000000008440000-0x0000000008441000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-21-0x0000000008030000-0x0000000008031000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-20-0x0000000007FC0000-0x0000000007FC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-19-0x0000000007D70000-0x0000000007D71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-18-0x0000000007CD0000-0x0000000007CD1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3452-17-0x0000000004B62000-0x0000000004B63000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3928-54-0x0000000000000000-mapping.dmp
          Download