Overview

overview

8

Static

static

galadriel

windows7_x64

8

Resubmissions

22-01-2021 13:50

210122-8mzgcvqz7j 8

22-01-2021 13:30

210122-9kfvyp6lrx 8

22-01-2021 13:27

210122-t61ddv7plj 10

Analysis

  • max time kernel
    279s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-01-2021 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll

  • Size

    7.5MB

  • MD5

    d88626469337e68200907f9c3573eb04

  • SHA1

    9ac4991a8518166ac9b11bfca02045ba1c7822fd

  • SHA256

    06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698

  • SHA512

    e6fbd55aeecf8d03bb621311918ddff34ed254ed580e4d2ce2d254f23c6dcfadb64f6701e61bd921042100f7f06ee112d7348d8c7ff0ba014a2a2ea8d8e28175

Score
8/10
discoveryspyware

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\06456edb20ab947356811ad8ce3a16ae3ea702342163b67907217a3d28b6d698.dll,JB4GLDbaA5Dm
        3⤵
        • Blocklisted process makes network request
        • Drops desktop.ini file(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1056-2-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1208-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-4-0x0000000075A61000-0x0000000075A63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1208-5-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1208-6-0x0000000001F50000-0x00000000026D2000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1208-7-0x00000000741A0000-0x0000000074343000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1208-10-0x0000000003621000-0x0000000003C7E000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/1720-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1720-12-0x0000000074730000-0x00000000748D3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1720-13-0x0000000001FA0000-0x0000000002722000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1720-14-0x0000000003531000-0x0000000003B8E000-memory.dmp
    Filesize

    6.4MB

    Download