Resubmissions
15-09-2021 06:42
210915-hgtlhadaer 1014-09-2021 08:06
210914-jzwz1sacfj 1010-09-2021 11:57
210910-n4w8ssdbdp 1008-09-2021 11:10
210908-m965hshefk 10Analysis
-
max time kernel
59s -
max time network
60s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 06:42
Static task
static1
Behavioral task
behavioral1
Sample
championship.inf.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
championship.inf.dll
Resource
win10-en
windows10_x64
0 signatures
0 seconds
General
-
Target
championship.inf.dll
-
Size
2.0MB
-
MD5
0b7da6388091ff9d696a18c95d41b587
-
SHA1
6c10d7d88606ac1afd30b4e61bf232329a276cdc
-
SHA256
6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
-
SHA512
45b26e8f9885dca6f4e1984fc39cb4c2a5b5988c970f35dde987b7a5a8417acbe5e972a6602071e903425f91a9095c7c289e574c3bad3039324185ad85d06a9a
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wabmig.exepowershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 2080 wabmig.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2080 powershell.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1256 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepowershell.exepid process 4044 rundll32.exe 4044 rundll32.exe 1256 powershell.exe 1256 powershell.exe 1256 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exepowershell.exedescription pid process Token: SeDebugPrivilege 4044 rundll32.exe Token: SeDebugPrivilege 1256 powershell.exe -
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4044 wrote to memory of 4048 4044 rundll32.exe wabmig.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\championship.inf.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\wabmig.exe"C:\Program Files\Windows Mail\wabmig.exe"1⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "Sleep 5 ; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\championship.inf.dll" -Force1⤵
- Process spawned unexpected child process
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1256-120-0x0000025F1F470000-0x0000025F1F472000-memory.dmpFilesize
8KB
-
memory/1256-122-0x0000025F1F473000-0x0000025F1F475000-memory.dmpFilesize
8KB
-
memory/1256-123-0x0000025F06DA0000-0x0000025F06DA1000-memory.dmpFilesize
4KB
-
memory/1256-127-0x0000025F20750000-0x0000025F20751000-memory.dmpFilesize
4KB
-
memory/1256-139-0x0000025F1F476000-0x0000025F1F478000-memory.dmpFilesize
8KB
-
memory/4044-115-0x00007FFD486C0000-0x00007FFD486D0000-memory.dmpFilesize
64KB