Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
22/03/2022, 11:32
Static task
static1
Behavioral task
behavioral1
Sample
readme2.dll
Resource
win7-20220311-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
readme2.dll
Resource
win10v2004-20220310-en
0 signatures
0 seconds
General
-
Target
readme2.dll
-
Size
654KB
-
MD5
f762a352d68d6a4b5de6e1dfb97f695c
-
SHA1
ae71e05af13607ec1339bb4e5c3dff70b93b822d
-
SHA256
d6bbd7322d650172dc416d232a8965a35d18051d29634116df4f8cb175dd660d
-
SHA512
d3129b92317e2bde49da4a191d079c657eabd6051fc55b28bf782a96aa65bd1dea17a40999c9931b5e5e62db6e9016afb4e1b2a0bda06455c0054d2b59541eb2
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C6C67993-B833-442B-B03B-775A186CCC00}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{24DC5DB5-0B07-4401-AFB2-C8BF064973A8}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2724 wrote to memory of 5016 2724 rundll32.exe 85 PID 2724 wrote to memory of 5016 2724 rundll32.exe 85 PID 2724 wrote to memory of 5016 2724 rundll32.exe 85
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2592
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\readme2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\readme2.dll,#12⤵PID:5016
-