Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-12-2021 18:09
Static task
static1
Behavioral task
behavioral1
Sample
70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll
Resource
win10-en-20211208
General
-
Target
70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll
-
Size
80KB
-
MD5
5b615cfd2ec6aa4f6242197481fc108b
-
SHA1
fc366c0f83711fed7303b752abf09f2be74e2a15
-
SHA256
70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9
-
SHA512
6080fa1e08239533e726cae2420b885627e53a7bbf9fd1fad1d2c861ebdf94262f8540f841a8dfa1956148d7601ec7a4a22ef965a0a7776bbb96e8535c6c30fe
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 1576 rundll32.exe -
Modifies Control Panel 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1576 rundll32.exe 1576 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
rundll32.exevssvc.exedescription pid process Token: SeBackupPrivilege 1576 rundll32.exe Token: SeDebugPrivilege 1576 rundll32.exe Token: 36 1576 rundll32.exe Token: SeImpersonatePrivilege 1576 rundll32.exe Token: SeIncBasePriorityPrivilege 1576 rundll32.exe Token: SeIncreaseQuotaPrivilege 1576 rundll32.exe Token: 33 1576 rundll32.exe Token: SeManageVolumePrivilege 1576 rundll32.exe Token: SeProfSingleProcessPrivilege 1576 rundll32.exe Token: SeRestorePrivilege 1576 rundll32.exe Token: SeSecurityPrivilege 1576 rundll32.exe Token: SeSystemProfilePrivilege 1576 rundll32.exe Token: SeTakeOwnershipPrivilege 1576 rundll32.exe Token: SeShutdownPrivilege 1576 rundll32.exe Token: SeBackupPrivilege 816 vssvc.exe Token: SeRestorePrivilege 816 vssvc.exe Token: SeAuditPrivilege 816 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 544 wrote to memory of 1576 544 rundll32.exe rundll32.exe PID 544 wrote to memory of 1576 544 rundll32.exe rundll32.exe PID 544 wrote to memory of 1576 544 rundll32.exe rundll32.exe PID 544 wrote to memory of 1576 544 rundll32.exe rundll32.exe PID 544 wrote to memory of 1576 544 rundll32.exe rundll32.exe PID 544 wrote to memory of 1576 544 rundll32.exe rundll32.exe PID 544 wrote to memory of 1576 544 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70344ece62a828c46ff315b3328125d8ab5f6902bbeaa24224fee97142ee6ad9.bin.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1576-54-0x0000000000000000-mapping.dmp
-
memory/1576-55-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/1576-57-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/1576-56-0x0000000002135000-0x0000000002146000-memory.dmpFilesize
68KB
-
memory/1576-58-0x0000000002146000-0x0000000002147000-memory.dmpFilesize
4KB