Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 05:53
Static task
static1
Behavioral task
behavioral1
Sample
rVuj5bF.bin.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
rVuj5bF.bin.dll
-
Size
403KB
-
MD5
4e9d3907d80cfe903df735b855d5eaeb
-
SHA1
3fcc74d0b646e8324f0a4cf4708890a8261f3e84
-
SHA256
280fedf6fd7e0964222ac9b21bcc289c222c7ea91d7bad6350741bdf8c1f0938
-
SHA512
672b8b0dd776ff156504e55c171fe035e5aac7b1b48ae785973113648717317eb611acbcc6141c5ab6c0096c4f41c24c335d957afbca1fddcf15dfde9750361f
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
msiexec.exeflow pid process 18 3728 msiexec.exe 19 3728 msiexec.exe 20 3728 msiexec.exe 21 3728 msiexec.exe 22 3728 msiexec.exe 23 3728 msiexec.exe 25 3728 msiexec.exe 26 3728 msiexec.exe 27 3728 msiexec.exe 28 3728 msiexec.exe 29 3728 msiexec.exe 30 3728 msiexec.exe 38 3728 msiexec.exe 40 3728 msiexec.exe 41 3728 msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3944 set thread context of 3728 3944 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3728 msiexec.exe Token: SeSecurityPrivilege 3728 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3976 wrote to memory of 3944 3976 rundll32.exe rundll32.exe PID 3976 wrote to memory of 3944 3976 rundll32.exe rundll32.exe PID 3976 wrote to memory of 3944 3976 rundll32.exe rundll32.exe PID 3944 wrote to memory of 3728 3944 rundll32.exe msiexec.exe PID 3944 wrote to memory of 3728 3944 rundll32.exe msiexec.exe PID 3944 wrote to memory of 3728 3944 rundll32.exe msiexec.exe PID 3944 wrote to memory of 3728 3944 rundll32.exe msiexec.exe PID 3944 wrote to memory of 3728 3944 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rVuj5bF.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rVuj5bF.bin.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3728-5-0x0000000000000000-mapping.dmp
-
memory/3728-6-0x0000000002C80000-0x0000000002CAB000-memory.dmpFilesize
172KB
-
memory/3944-2-0x0000000000000000-mapping.dmp
-
memory/3944-3-0x0000000072B10000-0x0000000072B3B000-memory.dmpFilesize
172KB
-
memory/3944-4-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB