929adcf731e730ee1251eeef8513fd774b1357c1c3e1da4d287722ed778434f9

Analysis

max time kernel
88s
max time network
154s
platform
windows10_x64
resource
win10-en-20210920
submitted
20-10-2021 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

San11 Tc/San11.exe
Size

5.9MB
MD5

07d46200af50166f44ed7208d3c65f67
SHA1

d9675b890bd29ff5274358083be77e9e361c7820
SHA256

bb0e70d0df97abb44faef927f36c2afe06bba148168aa39cc7dcf13b1ab9f651
SHA512

2c0757f14cea6bb7874ba82568ed4fbac61f07231924e2f9e6d26bce7df781e461bc3d9767fce445a701f43baed388929720597ac39f2c36e833dee57bff17c8

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

San11.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\SECDRV.SYS San11.exe
File opened for modification C:\Windows\SysWOW64\drivers\SECDRV.SYS San11.exe
Executes dropped EXE 1 IoCs

Processes:

~e5.0001

pid process

4340 ~e5.0001
Loads dropped DLL 4 IoCs

Processes:

San11.exe~e5.0001

pid process

3684 San11.exe
4340 ~e5.0001
3684 San11.exe
3684 San11.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

628
Suspicious use of WriteProcessMemory 3 IoCs

Processes:

San11.exe

description pid process target process

PID 3684 wrote to memory of 4340 3684 San11.exe ~e5.0001
PID 3684 wrote to memory of 4340 3684 San11.exe ~e5.0001
PID 3684 wrote to memory of 4340 3684 San11.exe ~e5.0001

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\SECDRV.SYS	San11.exe
File opened for modification	C:\Windows\SysWOW64\drivers\SECDRV.SYS	San11.exe

pid	process
4340	~e5.0001

pid	process
3684	San11.exe
4340	~e5.0001
3684	San11.exe
3684	San11.exe

pid	process
628

description	pid	process	target process
PID 3684 wrote to memory of 4340	3684	San11.exe	~e5.0001
PID 3684 wrote to memory of 4340	3684	San11.exe	~e5.0001
PID 3684 wrote to memory of 4340	3684	San11.exe	~e5.0001

C:\Users\Admin\AppData\Local\Temp\San11 Tc\San11.exe
"C:\Users\Admin\AppData\Local\Temp\San11 Tc\San11.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\~e5.0001
"C:\Users\Admin\AppData\Local\Temp\~e5.0001" 3684 "C:\Users\Admin\AppData\Local\Temp\""~e5.0001.dir.0000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~e5.0001
MD5
b9bcaeca2d337cf96c490c625884e9af

SHA1
2d82d74410c3748a2d4634800cd6a9b9d5beec81

SHA256
b3b7f9564e01ac379cb1e2bba1c7a5a1ae1627548bbad4c6a0844ca6c5c827aa

SHA512
a091e3ff60d9a5fab44234c859626ee623dfe4b199c37704bd879f027ff6f8501e2b384fd0ba62319479cab92e021d5067e7ab583c505bb0d358a45692e3a981

Download Submit
C:\Users\Admin\AppData\Local\Temp\~e5.0001
MD5
b9bcaeca2d337cf96c490c625884e9af

SHA1
2d82d74410c3748a2d4634800cd6a9b9d5beec81

SHA256
b3b7f9564e01ac379cb1e2bba1c7a5a1ae1627548bbad4c6a0844ca6c5c827aa

SHA512
a091e3ff60d9a5fab44234c859626ee623dfe4b199c37704bd879f027ff6f8501e2b384fd0ba62319479cab92e021d5067e7ab583c505bb0d358a45692e3a981

Download Submit
C:\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\PfdRun.pfd
MD5
0261b8f07012ab04b64daf42ea8bc092

SHA1
be1ba2c62a713b3a4a8d36408f8abcb2139378f3

SHA256
a3501267ef5112c0afb65fdf1d32ae4731aeaf29222ab8f2d4b450d06845efaf

SHA512
5b520571a221ef9c56fc938bed4c1f33db70cc09be41e87fe5479a1aaf0c9c72d12853513b3110d7bf7a5b5178eb0c46f2bd4f3036599f0ea753a936ef46e3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\~df394b.tmp
MD5
336e3ef3db0cf3a6f4f038f92f4d2e62

SHA1
e0148a28907fc2f5a28dd0ab02634352d64a5f0e

SHA256
98aa5b28d050b6dcd75623a3f162aea10b5b7213e2080777d2742e96a31e3a60

SHA512
aa61636cc61c8ac298f3009b0d9118a5ba91553618535226fef01b6506a11d2e4a6d09fa4add9ba7c2e2a7b30c04b6c7d4882bd24d8f4767dfc721d6399197c5

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\DrvMgt.dll
MD5
9b188e6f9fac4b8fb8d536015589df37

SHA1
a5247ec0ec50b8f470c93bf23e3f2514c402d5ad

SHA256
538471b7ebe7db84153d4ece0012167805333152c2bf1f83c08da28945e6d85b

SHA512
a6e2963bd09b0d39f7ca929ae2eba1639e6301a93755bd83f1c853f55c658936585f6171d0376ee4022a84c9be5383f4522cfc8277b51502147d88664c7063dd

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\~de13e4.tmp
MD5
df52aa569acf229c80d1beef0566ef5c

SHA1
7107142a3a88212666845f2da78a694ca3e7594d

SHA256
ec4cc717e32f1f1a07ae07805b52963ae960565dbddf2eb9d333b2fec0116bcc

SHA512
878fc1f4c2ec23d9a5d259b0fc5869cb66a55008ea5ed4efead8d46c9ba6986b760644b40a50f00fcb72fe045d5c2bd2e95753d46296521797696e097684aa14

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\~df394b.tmp
MD5
336e3ef3db0cf3a6f4f038f92f4d2e62

SHA1
e0148a28907fc2f5a28dd0ab02634352d64a5f0e

SHA256
98aa5b28d050b6dcd75623a3f162aea10b5b7213e2080777d2742e96a31e3a60

SHA512
aa61636cc61c8ac298f3009b0d9118a5ba91553618535226fef01b6506a11d2e4a6d09fa4add9ba7c2e2a7b30c04b6c7d4882bd24d8f4767dfc721d6399197c5

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\~df394b.tmp
MD5
336e3ef3db0cf3a6f4f038f92f4d2e62

SHA1
e0148a28907fc2f5a28dd0ab02634352d64a5f0e

SHA256
98aa5b28d050b6dcd75623a3f162aea10b5b7213e2080777d2742e96a31e3a60

SHA512
aa61636cc61c8ac298f3009b0d9118a5ba91553618535226fef01b6506a11d2e4a6d09fa4add9ba7c2e2a7b30c04b6c7d4882bd24d8f4767dfc721d6399197c5

Download Submit
memory/3684-115-0x0000000000400000-0x0000000009B4A000-memory.dmp

Filesize
151.3MB

Download
memory/4340-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads