Analysis

  • max time kernel
    61s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 12:38

General

  • Target

    655b1643db3679764d779f1fc284b647b69285e8cd7bb28a8a235140eff42376.dll

  • Size

    52KB

  • MD5

    9f7a7c1f9c1a46cc97307ca3c657d8cd

  • SHA1

    6bfc7b2816f5d67c1dc9366d810a683ed82105a4

  • SHA256

    655b1643db3679764d779f1fc284b647b69285e8cd7bb28a8a235140eff42376

  • SHA512

    ced3e0191ec93aad8beaa56253b3cce131d81a365c03b101c8dc26e4eaff4f576fccb710a40f2012fc8ad3eeb06e1775458a38350d3abff3cdc16ff6e7f34539

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Sets service image path in registry 2 TTPs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\655b1643db3679764d779f1fc284b647b69285e8cd7bb28a8a235140eff42376.dll,#1
    1⤵
      PID:3392
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3392 -s 244
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2636
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 376 -p 3392 -ip 3392
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:1648
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 3d51854c3f8778e1c45932f345da6a59 yzwVONUP0USTICKjlfzNaA.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:4912
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1644-130-0x000001F454330000-0x000001F454340000-memory.dmp

      Filesize

      64KB

    • memory/1644-131-0x000001F454390000-0x000001F4543A0000-memory.dmp

      Filesize

      64KB

    • memory/1644-132-0x000001F457070000-0x000001F457074000-memory.dmp

      Filesize

      16KB