Resubmissions
15-09-2021 06:42
210915-hgtlhadaer 1014-09-2021 08:06
210914-jzwz1sacfj 1010-09-2021 11:57
210910-n4w8ssdbdp 1008-09-2021 11:10
210908-m965hshefk 10Analysis
-
max time kernel
26s -
max time network
26s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 06:42
Static task
static1
Behavioral task
behavioral1
Sample
championship.inf.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
championship.inf.dll
Resource
win10-en
General
-
Target
championship.inf.dll
-
Size
2.0MB
-
MD5
0b7da6388091ff9d696a18c95d41b587
-
SHA1
6c10d7d88606ac1afd30b4e61bf232329a276cdc
-
SHA256
6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
-
SHA512
45b26e8f9885dca6f4e1984fc39cb4c2a5b5988c970f35dde987b7a5a8417acbe5e972a6602071e903425f91a9095c7c289e574c3bad3039324185ad85d06a9a
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wabmig.exepowershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 1452 wabmig.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1452 powershell.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1592 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepowershell.exepid process 1612 rundll32.exe 1592 powershell.exe 1592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exepowershell.exedescription pid process Token: SeDebugPrivilege 1612 rundll32.exe Token: SeDebugPrivilege 1592 powershell.exe -
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1612 wrote to memory of 1664 1612 rundll32.exe wabmig.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\championship.inf.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\wabmig.exe"C:\Program Files\Windows Mail\wabmig.exe"1⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "Sleep 5 ; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\championship.inf.dll" -Force1⤵
- Process spawned unexpected child process
- Deletes itself
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1592-63-0x00000000025A0000-0x00000000025A1000-memory.dmpFilesize
4KB
-
memory/1592-64-0x000000001AC30000-0x000000001AC31000-memory.dmpFilesize
4KB
-
memory/1592-66-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1592-65-0x000000001ABB0000-0x000000001ABB2000-memory.dmpFilesize
8KB
-
memory/1592-67-0x000000001ABB4000-0x000000001ABB6000-memory.dmpFilesize
8KB
-
memory/1592-68-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/1592-69-0x000000001B5E0000-0x000000001B5E1000-memory.dmpFilesize
4KB
-
memory/1592-70-0x000000001B750000-0x000000001B751000-memory.dmpFilesize
4KB
-
memory/1612-60-0x000000007FFF0000-0x000000007FFF1000-memory.dmpFilesize
4KB
-
memory/1664-61-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmpFilesize
8KB