Overview

overview

10

Static

static

10

44ba5f629c...a5.dll

windows7_x64

3

44ba5f629c...a5.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    14-02-2022 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44ba5f629c731604580c863afa7e84c87e0ebf431294fa4646c83f8820d2ffa5.dll

  • Size

    480KB

  • MD5

    46ff7a914be72003199e051cab2b2c0d

  • SHA1

    6b1785ae3d2415cd12eedbe4d232a2887d5aa7fb

  • SHA256

    44ba5f629c731604580c863afa7e84c87e0ebf431294fa4646c83f8820d2ffa5

  • SHA512

    3c7ce281805ded31fbdd74f66f8daefb534e7b87d03014580446416c962651fa292b44c75518841eb478b90656f8242f1f01c3779f164e38f87c11d692029fea

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\44ba5f629c731604580c863afa7e84c87e0ebf431294fa4646c83f8820d2ffa5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\44ba5f629c731604580c863afa7e84c87e0ebf431294fa4646c83f8820d2ffa5.dll,#1
      2⤵
        PID:3364
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 560
          3⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1992
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3364 -ip 3364
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:1888
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2196
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4308

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2196-130-0x000002620A390000-0x000002620A3A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-131-0x000002620AC70000-0x000002620AC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-132-0x000002620D360000-0x000002620D364000-memory.dmp

      Filesize

      16KB

      Download