Overview

overview

10

Static

static

championship.inf.dll

windows7_x64

10

Resubmissions

15-09-2021 06:42

210915-hgtlhadaer 10

14-09-2021 08:06

210914-jzwz1sacfj 10

10-09-2021 11:57

210910-n4w8ssdbdp 10

08-09-2021 11:10

210908-m965hshefk 10

Analysis

  • max time kernel
    14s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14-09-2021 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    championship.inf.dll

  • Size

    2.0MB

  • MD5

    0b7da6388091ff9d696a18c95d41b587

  • SHA1

    6c10d7d88606ac1afd30b4e61bf232329a276cdc

  • SHA256

    6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b

  • SHA512

    45b26e8f9885dca6f4e1984fc39cb4c2a5b5988c970f35dde987b7a5a8417acbe5e972a6602071e903425f91a9095c7c289e574c3bad3039324185ad85d06a9a

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\championship.inf.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1040
  • C:\Program Files\Windows Mail\wabmig.exe
    "C:\Program Files\Windows Mail\wabmig.exe"
    1⤵
    • Process spawned unexpected child process
    PID:2032
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "Sleep 5 ; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\championship.inf.dll" -Force
    1⤵
    • Process spawned unexpected child process
    • Deletes itself
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/920-62-0x0000000002310000-0x0000000002311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/920-63-0x000000001AA20000-0x000000001AA21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/920-64-0x000000001A970000-0x000000001A971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/920-65-0x0000000002200000-0x0000000002201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/920-66-0x000000001A9A0000-0x000000001A9A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/920-67-0x000000001A9A4000-0x000000001A9A6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/920-69-0x000000001B460000-0x000000001B461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/920-70-0x000000001C060000-0x000000001C061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1040-68-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2032-60-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

    Filesize

    8KB

    Download