e4acd60d437bb5558843e74e76630975c7bcc479484bbee595e34b8a2644b082 | Triage

Analysis

max time kernel
133s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-02-2022 07:40

Sharing

Report Analysis Logs

General

Target

freebl3.dll
Size

326KB
MD5

ef2834ac4ee7d6724f255beaf527e635
SHA1

5be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256

a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512

c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeCreatePagefilePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeCreatePagefilePrivilege	2364	svchost.exe
Token: SeShutdownPrivilege	2364	svchost.exe
Token: SeCreatePagefilePrivilege	2364	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4596 wrote to memory of 4880	4596	rundll32.exe	rundll32.exe
PID 4596 wrote to memory of 4880	4596	rundll32.exe	rundll32.exe
PID 4596 wrote to memory of 4880	4596	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\freebl3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\freebl3.dll,#1
2⤵
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2364-130-0x0000025BA6560000-0x0000025BA6570000-memory.dmp

Filesize
64KB

Download
memory/2364-131-0x0000025BA6B20000-0x0000025BA6B30000-memory.dmp

Filesize
64KB

Download
memory/2364-132-0x0000025BA91E0000-0x0000025BA91E4000-memory.dmp

Filesize
16KB

Download