Analysis
-
max time kernel
19s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 09:10
Static task
static1
Behavioral task
behavioral1
Sample
ab80e92fbdd11c699d650a455de769d0.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ab80e92fbdd11c699d650a455de769d0.exe
Resource
win10v20210410
General
-
Target
ab80e92fbdd11c699d650a455de769d0.exe
-
Size
392KB
-
MD5
ab80e92fbdd11c699d650a455de769d0
-
SHA1
56fa38589ebc1653d285aaaf9f79426ac5f1d826
-
SHA256
4fb561dbdfd2eac3757e56df1cda954fc4cdbab3da7225ea97ed3a9111ae74e5
-
SHA512
141d58c3a36982398cc991b83f4e4d70304c7fe9f3ef1920eec6ffba4b75164f326614e34f87b03ce576b5a08d2c84e369b775570ff57d727cab6313a792b0f5
Malware Config
Extracted
systembc
65.21.93.53:4173
95.216.118.223:4173
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 16 3924 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3924 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ab80e92fbdd11c699d650a455de769d0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProtectIT = "C:\\Windows\\System32\\rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\valid.sa, rundll" ab80e92fbdd11c699d650a455de769d0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ab80e92fbdd11c699d650a455de769d0.exedescription pid process target process PID 4432 wrote to memory of 3924 4432 ab80e92fbdd11c699d650a455de769d0.exe rundll32.exe PID 4432 wrote to memory of 3924 4432 ab80e92fbdd11c699d650a455de769d0.exe rundll32.exe PID 4432 wrote to memory of 3924 4432 ab80e92fbdd11c699d650a455de769d0.exe rundll32.exe PID 4432 wrote to memory of 4020 4432 ab80e92fbdd11c699d650a455de769d0.exe cmd.exe PID 4432 wrote to memory of 4020 4432 ab80e92fbdd11c699d650a455de769d0.exe cmd.exe PID 4432 wrote to memory of 4020 4432 ab80e92fbdd11c699d650a455de769d0.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe"C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\valid.sa, rundll2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\valid.saMD5
4ed86d03e1b1992737a82147f37b0f26
SHA165c8d604169f09b9d746ee1d5137f35e0de73a8e
SHA2561f5ab2dd8c68798890cc3f34c342aae74fb15846d2beb3cc4fc78dc6a94f7d1c
SHA512238b338aa6b5d31f17e64ccf9e635c19867bf8eb267578a65158a61bb6bea5ec616b5798dafabd3ca0797268869e7b414db1d3668542ef95698d0cf9f17839c5
-
\Users\Admin\AppData\Roaming\valid.saMD5
4ed86d03e1b1992737a82147f37b0f26
SHA165c8d604169f09b9d746ee1d5137f35e0de73a8e
SHA2561f5ab2dd8c68798890cc3f34c342aae74fb15846d2beb3cc4fc78dc6a94f7d1c
SHA512238b338aa6b5d31f17e64ccf9e635c19867bf8eb267578a65158a61bb6bea5ec616b5798dafabd3ca0797268869e7b414db1d3668542ef95698d0cf9f17839c5
-
memory/3924-114-0x0000000000000000-mapping.dmp
-
memory/3924-120-0x0000000002C10000-0x0000000002C15000-memory.dmpFilesize
20KB
-
memory/3924-121-0x00000000045F0000-0x00000000045F7000-memory.dmpFilesize
28KB
-
memory/4020-115-0x0000000000000000-mapping.dmp
-
memory/4432-118-0x0000000000910000-0x00000000009BE000-memory.dmpFilesize
696KB
-
memory/4432-119-0x0000000000400000-0x0000000000901000-memory.dmpFilesize
5.0MB