Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-12-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
0634f6c10ac079514d4db0ec04d842c48448538f3f636963d1ef17111bedc72a.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0634f6c10ac079514d4db0ec04d842c48448538f3f636963d1ef17111bedc72a.dll
Resource
win10-en-20211208
General
-
Target
0634f6c10ac079514d4db0ec04d842c48448538f3f636963d1ef17111bedc72a.dll
-
Size
522KB
-
MD5
aaf943c5a95b3dd813c441d3bdca0e5a
-
SHA1
529a1793f8019042952a379bbd91da51e02aa2b1
-
SHA256
0634f6c10ac079514d4db0ec04d842c48448538f3f636963d1ef17111bedc72a
-
SHA512
647ae31e6bbe7e8646c75d8d52a2c6e5f81eb9c815821fda164ba21d6754052f9c49a9048fac4ec976ba9d234599e0b9abdd6f278b422329a5f244bbcf570297
Malware Config
Extracted
matanbuchus
https://belialq449663.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml
https://belialw869367.at/f5126584-3f68-4e0c-868a-dcb2455f8146/Y2xpbnRvbjQ1.xml
https://beliale232634.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml
https://belialr878539.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml
https://belialp632298.at/b0868b6b-7f2c-4ac6-ba54-ba9b13744d17/clinton45.xml
Signatures
-
Matanbuchus
A loader sold as MaaS first seen in February 2021.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 644 3512 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe 644 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 644 WerFault.exe Token: SeBackupPrivilege 644 WerFault.exe Token: SeDebugPrivilege 644 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3032 wrote to memory of 3512 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 3512 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 3512 3032 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0634f6c10ac079514d4db0ec04d842c48448538f3f636963d1ef17111bedc72a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0634f6c10ac079514d4db0ec04d842c48448538f3f636963d1ef17111bedc72a.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 6883⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3512-115-0x0000000000000000-mapping.dmp
-
memory/3512-116-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/3512-118-0x0000000004760000-0x000000000477E000-memory.dmpFilesize
120KB
-
memory/3512-117-0x0000000004760000-0x000000000477E000-memory.dmpFilesize
120KB
-
memory/3512-120-0x0000000004760000-0x000000000477E000-memory.dmpFilesize
120KB
-
memory/3512-119-0x0000000004720000-0x000000000473F000-memory.dmpFilesize
124KB