Overview
overview
10Static
static
10Wolfteam/Hack.exe
windows7_x64
10Wolfteam/Hack.exe
windows10_x64
10Wolfteam/S...RT.dll
windows7_x64
Wolfteam/S...RT.dll
windows10_x64
Wolfteam/a..._0.dll
windows7_x64
Wolfteam/a..._0.dll
windows10_x64
Wolfteam/a..._0.dll
windows7_x64
Wolfteam/a..._0.dll
windows10_x64
Wolfteam/a..._0.dll
windows7_x64
Wolfteam/a..._0.dll
windows10_x64
Wolfteam/a..._0.dll
windows7_x64
1Wolfteam/a..._0.dll
windows10_x64
1Wolfteam/python27.dll
windows7_x64
Wolfteam/python27.dll
windows10_x64
Analysis
-
max time kernel
48s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-03-2021 22:00
Behavioral task
behavioral1
Sample
Wolfteam/Hack.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Wolfteam/Hack.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Wolfteam/SpeedTreeRT.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
Wolfteam/SpeedTreeRT.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Wolfteam/api_ms_win_core_interlocked_l1_1_0.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
Wolfteam/api_ms_win_core_interlocked_l1_1_0.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Wolfteam/api_ms_win_core_synch_l1_1_0.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
Wolfteam/api_ms_win_core_synch_l1_1_0.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Wolfteam/api_ms_win_core_timezone_l1_1_0.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
Wolfteam/api_ms_win_core_timezone_l1_1_0.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Wolfteam/api_ms_win_crt_locale_l1_1_0.dll
Resource
win7v20201028
Behavioral task
behavioral12
Sample
Wolfteam/api_ms_win_crt_locale_l1_1_0.dll
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Wolfteam/python27.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Wolfteam/python27.dll
Resource
win10v20201028
Errors
General
-
Target
Wolfteam/api_ms_win_core_synch_l1_1_0.dll
-
Size
20KB
-
MD5
981a70962828df80f65c822196daac8d
-
SHA1
1e9bc0925b963860c0755564f74b3fadb242f4eb
-
SHA256
d664f63c82b14e4d1cc52a1e6d0477b0ed9f333a12935e4e4ae2c223ca9d5437
-
SHA512
7222b99805e09069a7045818629eeac43119b8c1fe0a10cf4b840895f10187d14d7a253ca869edb9d03d54fd326d28c1aa0514cd3ec5d9661b71600b69173b3e
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 1532 2004 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1532 WerFault.exe Token: 33 1332 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1332 AUDIODG.EXE Token: 33 1332 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1332 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 292 wrote to memory of 2004 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 2004 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 2004 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 2004 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 2004 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 2004 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 2004 292 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1532 2004 rundll32.exe WerFault.exe PID 2004 wrote to memory of 1532 2004 rundll32.exe WerFault.exe PID 2004 wrote to memory of 1532 2004 rundll32.exe WerFault.exe PID 2004 wrote to memory of 1532 2004 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Wolfteam\api_ms_win_core_synch_l1_1_0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Wolfteam\api_ms_win_core_synch_l1_1_0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 2241⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-7-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/268-8-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/1532-4-0x0000000000000000-mapping.dmp
-
memory/1532-5-0x0000000000B50000-0x0000000000B61000-memory.dmpFilesize
68KB
-
memory/1532-6-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1600-10-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/2004-3-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/2004-2-0x0000000000000000-mapping.dmp