Overview

overview

10

Static

static

8

22585ab7de...6f.dll

windows7_x64

10

22585ab7de...6f.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    165s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    15-02-2022 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22585ab7de35b08fde0936704c556c39f0e0d554a4522c01ec8c16777ba7bd6f.dll

  • Size

    10.6MB

  • MD5

    2895127494f4f2c45357dfae7dda9ec6

  • SHA1

    29821030519227db7fa3c37db36b213f1c6f0a0a

  • SHA256

    22585ab7de35b08fde0936704c556c39f0e0d554a4522c01ec8c16777ba7bd6f

  • SHA512

    2a837fe1cb0a8f0a57d997f82c1f6a42704deaba07f4ec94c2e2d60743b40dc6196a251290a191f4746cc8d67cc36695e9c4c64c795591a40406701296540f42

Score
10/10
numandobackdoortrojanvmprotect

Malware Config

Signatures

  • Detect Numando Payload 2 IoCs
  • Numando

    Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.

    trojanbackdoornumando
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in Windows directory 7 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\22585ab7de35b08fde0936704c556c39f0e0d554a4522c01ec8c16777ba7bd6f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\22585ab7de35b08fde0936704c556c39f0e0d554a4522c01ec8c16777ba7bd6f.dll,#1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 724
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4556
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 724
        3⤵
        • Program crash
        PID:1972
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4608 -ip 4608
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:2404
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2152
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2152-140-0x00000216FE320000-0x00000216FE330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-141-0x00000216FE380000-0x00000216FE390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2152-142-0x00000216FEA60000-0x00000216FEA64000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4608-131-0x00000000008B0000-0x00000000008B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-130-0x00000000007D0000-0x00000000007D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-132-0x00000000037F0000-0x00000000037F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-134-0x0000000003820000-0x0000000003821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-133-0x0000000003810000-0x0000000003811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-135-0x0000000003830000-0x0000000003831000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-136-0x00000000021A0000-0x0000000003768000-memory.dmp

    Filesize

    21.8MB

    Download

  • memory/4608-138-0x000000000254B000-0x0000000002CCE000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4608-139-0x00000000021A1000-0x0000000002525000-memory.dmp

    Filesize

    3.5MB

    Download