Overview

overview

10

Static

static

10

d02798629a...fd.dll

windows7_x64

3

d02798629a...fd.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    13-02-2022 23:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d02798629a25f74b9a5340cd3a5b1070cecbdffe04332c76c20f31357440b5fd.dll

  • Size

    156KB

  • MD5

    f1bd39b9c385e63a373e4cfcf569cd53

  • SHA1

    8cfc211e04f866450637a6f4c124eb44be86e86e

  • SHA256

    d02798629a25f74b9a5340cd3a5b1070cecbdffe04332c76c20f31357440b5fd

  • SHA512

    0c99c62bf1f35e6a2eefbcc476bcc705e5370fcc4ceb32b6aa827a993c683443b602201e85d30440abea56bbf2f193c57b58f9f89de12f4fe429a6d213a7a65d

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d02798629a25f74b9a5340cd3a5b1070cecbdffe04332c76c20f31357440b5fd.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d02798629a25f74b9a5340cd3a5b1070cecbdffe04332c76c20f31357440b5fd.dll,#1
      2⤵
        PID:4456
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 544
          3⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4456 -ip 4456
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:2764
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1604

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4696-130-0x000001E160140000-0x000001E160150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4696-131-0x000001E1601A0000-0x000001E1601B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4696-132-0x000001E162EC0000-0x000001E162EC4000-memory.dmp

      Filesize

      16KB

      Download