Analysis
-
max time kernel
126s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-03-2021 16:21
Static task
static1
Behavioral task
behavioral1
Sample
32bit_decompressed.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
32bit_decompressed.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
32bit_decompressed.dll
-
Size
68KB
-
MD5
9774b2e5e34269bc3adc01d73bdfa76a
-
SHA1
adc27dc8a9e33cc2c7684bf47d5cc98d0bdc7958
-
SHA256
e058280f4b15c1be6488049e0bdba555f1baf42e139b7251d6b2c230e28e0aef
-
SHA512
90cefd6e4836d4a26f59f551a33a5b4d1cd45891156211e706ad72d16539a3dacda3da69c796e70b3bb6d141820ec2ac2d063a58657a27067f4662d3fa7b7516
Score
10/10
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/memory/1068-3-0x00000000741C0000-0x00000000741D4000-memory.dmp mimikatz -
Blocklisted process makes network request 5 IoCs
flow pid Process 8 1068 rundll32.exe 17 1068 rundll32.exe 19 1068 rundll32.exe 21 1068 rundll32.exe 23 1068 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 504 wrote to memory of 1068 504 rundll32.exe 70 PID 504 wrote to memory of 1068 504 rundll32.exe 70 PID 504 wrote to memory of 1068 504 rundll32.exe 70
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32bit_decompressed.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32bit_decompressed.dll,#12⤵
- Blocklisted process makes network request
PID:1068
-