Analysis
-
max time kernel
19s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 10:08
Static task
static1
Behavioral task
behavioral1
Sample
ab80e92fbdd11c699d650a455de769d0.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ab80e92fbdd11c699d650a455de769d0.exe
Resource
win10v20210408
General
-
Target
ab80e92fbdd11c699d650a455de769d0.exe
-
Size
392KB
-
MD5
ab80e92fbdd11c699d650a455de769d0
-
SHA1
56fa38589ebc1653d285aaaf9f79426ac5f1d826
-
SHA256
4fb561dbdfd2eac3757e56df1cda954fc4cdbab3da7225ea97ed3a9111ae74e5
-
SHA512
141d58c3a36982398cc991b83f4e4d70304c7fe9f3ef1920eec6ffba4b75164f326614e34f87b03ce576b5a08d2c84e369b775570ff57d727cab6313a792b0f5
Malware Config
Extracted
systembc
65.21.93.53:4173
95.216.118.223:4173
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 15 2604 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 2604 rundll32.exe 2604 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ab80e92fbdd11c699d650a455de769d0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProtectIT = "C:\\Windows\\System32\\rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\valid.sa, rundll" ab80e92fbdd11c699d650a455de769d0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ab80e92fbdd11c699d650a455de769d0.exedescription pid process target process PID 900 wrote to memory of 2604 900 ab80e92fbdd11c699d650a455de769d0.exe rundll32.exe PID 900 wrote to memory of 2604 900 ab80e92fbdd11c699d650a455de769d0.exe rundll32.exe PID 900 wrote to memory of 2604 900 ab80e92fbdd11c699d650a455de769d0.exe rundll32.exe PID 900 wrote to memory of 2468 900 ab80e92fbdd11c699d650a455de769d0.exe cmd.exe PID 900 wrote to memory of 2468 900 ab80e92fbdd11c699d650a455de769d0.exe cmd.exe PID 900 wrote to memory of 2468 900 ab80e92fbdd11c699d650a455de769d0.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe"C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\valid.sa, rundll2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\valid.saMD5
4ed86d03e1b1992737a82147f37b0f26
SHA165c8d604169f09b9d746ee1d5137f35e0de73a8e
SHA2561f5ab2dd8c68798890cc3f34c342aae74fb15846d2beb3cc4fc78dc6a94f7d1c
SHA512238b338aa6b5d31f17e64ccf9e635c19867bf8eb267578a65158a61bb6bea5ec616b5798dafabd3ca0797268869e7b414db1d3668542ef95698d0cf9f17839c5
-
\Users\Admin\AppData\Roaming\valid.saMD5
4ed86d03e1b1992737a82147f37b0f26
SHA165c8d604169f09b9d746ee1d5137f35e0de73a8e
SHA2561f5ab2dd8c68798890cc3f34c342aae74fb15846d2beb3cc4fc78dc6a94f7d1c
SHA512238b338aa6b5d31f17e64ccf9e635c19867bf8eb267578a65158a61bb6bea5ec616b5798dafabd3ca0797268869e7b414db1d3668542ef95698d0cf9f17839c5
-
\Users\Admin\AppData\Roaming\valid.saMD5
4ed86d03e1b1992737a82147f37b0f26
SHA165c8d604169f09b9d746ee1d5137f35e0de73a8e
SHA2561f5ab2dd8c68798890cc3f34c342aae74fb15846d2beb3cc4fc78dc6a94f7d1c
SHA512238b338aa6b5d31f17e64ccf9e635c19867bf8eb267578a65158a61bb6bea5ec616b5798dafabd3ca0797268869e7b414db1d3668542ef95698d0cf9f17839c5
-
memory/900-121-0x0000000000400000-0x0000000000901000-memory.dmpFilesize
5.0MB
-
memory/900-120-0x0000000000B40000-0x0000000000B75000-memory.dmpFilesize
212KB
-
memory/2468-115-0x0000000000000000-mapping.dmp
-
memory/2604-114-0x0000000000000000-mapping.dmp
-
memory/2604-119-0x0000000000B60000-0x0000000000B83000-memory.dmpFilesize
140KB
-
memory/2604-122-0x0000000000CA0000-0x0000000000CA5000-memory.dmpFilesize
20KB
-
memory/2604-123-0x0000000000CC0000-0x0000000000CC7000-memory.dmpFilesize
28KB