Overview

overview

10

Static

static

championship.inf.dll

windows7_x64

10

championship.inf.dll

windows10_x64

10

Resubmissions

15-09-2021 06:42

210915-hgtlhadaer 10

14-09-2021 08:06

210914-jzwz1sacfj 10

10-09-2021 11:57

210910-n4w8ssdbdp 10

08-09-2021 11:10

210908-m965hshefk 10

Analysis

  • max time kernel
    26s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-09-2021 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    championship.inf.dll

  • Size

    2.0MB

  • MD5

    0b7da6388091ff9d696a18c95d41b587

  • SHA1

    6c10d7d88606ac1afd30b4e61bf232329a276cdc

  • SHA256

    6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b

  • SHA512

    45b26e8f9885dca6f4e1984fc39cb4c2a5b5988c970f35dde987b7a5a8417acbe5e972a6602071e903425f91a9095c7c289e574c3bad3039324185ad85d06a9a

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes itself 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\championship.inf.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
  • C:\Program Files\Windows Mail\wabmig.exe
    "C:\Program Files\Windows Mail\wabmig.exe"
    1⤵
    • Process spawned unexpected child process
    PID:1664
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "Sleep 5 ; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\championship.inf.dll" -Force
    1⤵
    • Process spawned unexpected child process
    • Deletes itself
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1592-63-0x00000000025A0000-0x00000000025A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1592-64-0x000000001AC30000-0x000000001AC31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1592-66-0x00000000024F0000-0x00000000024F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1592-65-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1592-67-0x000000001ABB4000-0x000000001ABB6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1592-68-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1592-69-0x000000001B5E0000-0x000000001B5E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1592-70-0x000000001B750000-0x000000001B751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-60-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-61-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

    Filesize

    8KB

    Download