Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
28-03-2022 20:33
Static task
static1
Behavioral task
behavioral1
Sample
ccfa86896ffc44125e762009e0301fa662ce58cc87d71e457873d741f43d8d5b.dll
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
ccfa86896ffc44125e762009e0301fa662ce58cc87d71e457873d741f43d8d5b.dll
Resource
win10v2004-en-20220113
General
-
Target
ccfa86896ffc44125e762009e0301fa662ce58cc87d71e457873d741f43d8d5b.dll
-
Size
137KB
-
MD5
80a0d6819d431dbde0661de16f1487af
-
SHA1
c57b6cdc3852bd11adf5f1eb3f5b8ec077037093
-
SHA256
ccfa86896ffc44125e762009e0301fa662ce58cc87d71e457873d741f43d8d5b
-
SHA512
d1802939f331e215be388d8b9187385ed50aea27e73217fba41f413cf101e4ae6ab9d8977e6fde9f8d9221c01a9453a62caad1e3ea9b3e77fd48f4514d95d6ff
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
rundll32.exeflow pid process 24 3736 rundll32.exe 25 3736 rundll32.exe 31 3736 rundll32.exe 32 3736 rundll32.exe 33 3736 rundll32.exe 34 3736 rundll32.exe 35 3736 rundll32.exe 36 3736 rundll32.exe 38 3736 rundll32.exe 39 3736 rundll32.exe 40 3736 rundll32.exe 41 3736 rundll32.exe 42 3736 rundll32.exe 43 3736 rundll32.exe 44 3736 rundll32.exe 45 3736 rundll32.exe 46 3736 rundll32.exe 47 3736 rundll32.exe 48 3736 rundll32.exe 49 3736 rundll32.exe 50 3736 rundll32.exe 51 3736 rundll32.exe 52 3736 rundll32.exe 53 3736 rundll32.exe 54 3736 rundll32.exe 55 3736 rundll32.exe 56 3736 rundll32.exe 57 3736 rundll32.exe 58 3736 rundll32.exe 59 3736 rundll32.exe 60 3736 rundll32.exe 61 3736 rundll32.exe 62 3736 rundll32.exe 63 3736 rundll32.exe 64 3736 rundll32.exe 65 3736 rundll32.exe 66 3736 rundll32.exe 67 3736 rundll32.exe 69 3736 rundll32.exe 70 3736 rundll32.exe 71 3736 rundll32.exe 72 3736 rundll32.exe 73 3736 rundll32.exe 74 3736 rundll32.exe 75 3736 rundll32.exe 76 3736 rundll32.exe 77 3736 rundll32.exe 78 3736 rundll32.exe 79 3736 rundll32.exe 80 3736 rundll32.exe 81 3736 rundll32.exe 82 3736 rundll32.exe 83 3736 rundll32.exe 84 3736 rundll32.exe 85 3736 rundll32.exe 86 3736 rundll32.exe 87 3736 rundll32.exe 88 3736 rundll32.exe 89 3736 rundll32.exe 90 3736 rundll32.exe 91 3736 rundll32.exe 92 3736 rundll32.exe 93 3736 rundll32.exe 94 3736 rundll32.exe -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 363 qeypudib.bazar 472 udhuonel.bazar 107 wyowibso.bazar 430 ibetonud.bazar 468 udhuonel.bazar 269 qeiqsoel.bazar 311 soucelso.bazar 121 elucudud.bazar 212 qeydtoib.bazar 258 qeiqsoel.bazar 327 soucelso.bazar 442 edehudel.bazar 152 elucudud.bazar 497 onhutoon.bazar 200 qeydtoib.bazar 465 udhuonel.bazar 92 wyowibso.bazar 310 soucelso.bazar 493 onhutoon.bazar 494 onhutoon.bazar 303 soucelso.bazar 323 soucelso.bazar 335 ekiqonso.bazar 256 qeiqsoel.bazar 381 qeypudib.bazar 123 elucudud.bazar 214 cuetsoto.bazar 222 cuetsoto.bazar 344 ekiqonso.bazar 89 onypsoib.bazar 149 elucudud.bazar 302 ediqonon.bazar 265 qeiqsoel.bazar 284 ediqonon.bazar 341 ekiqonso.bazar 83 onypsoib.bazar 389 qeypudib.bazar 443 edehudel.bazar 439 edehudel.bazar 162 idfuibso.bazar 187 qeydtoib.bazar 393 qeypudib.bazar 457 edehudel.bazar 223 cuetsoto.bazar 410 ibetonud.bazar 424 ibetonud.bazar 428 ibetonud.bazar 129 elucudud.bazar 399 qeypudib.bazar 218 cuetsoto.bazar 154 idfuibso.bazar 195 qeydtoib.bazar 86 onypsoib.bazar 95 wyowibso.bazar 136 elucudud.bazar 408 ibetonud.bazar 409 ibetonud.bazar 459 edehudel.bazar 88 onypsoib.bazar 176 idfuibso.bazar 111 wyowibso.bazar 287 ediqonon.bazar 420 ibetonud.bazar 464 udhuonel.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 163.172.185.51 Destination IP 35.196.105.24 Destination IP 94.177.171.127 Destination IP 167.99.153.82 Destination IP 217.12.210.54 Destination IP 77.73.68.161 Destination IP 172.98.193.42 Destination IP 45.63.124.65 Destination IP 96.47.228.108 Destination IP 5.45.97.127 Destination IP 208.67.222.222 Destination IP 63.231.92.27 Destination IP 35.196.105.24 Destination IP 63.231.92.27 Destination IP 94.177.171.127 Destination IP 217.12.210.54 Destination IP 45.63.124.65 Destination IP 35.196.105.24 Destination IP 208.67.222.222 Destination IP 5.45.97.127 Destination IP 77.73.68.161 Destination IP 96.47.228.108 Destination IP 208.67.220.220 Destination IP 94.177.171.127 Destination IP 35.196.105.24 Destination IP 5.135.183.146 Destination IP 163.172.185.51 Destination IP 45.32.160.206 Destination IP 5.45.97.127 Destination IP 142.4.205.47 Destination IP 82.141.39.32 Destination IP 5.135.183.146 Destination IP 169.239.202.202 Destination IP 77.73.68.161 Destination IP 139.59.23.241 Destination IP 167.99.153.82 Destination IP 208.67.222.222 Destination IP 82.141.39.32 Destination IP 77.73.68.161 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 142.4.204.111 Destination IP 89.35.39.64 Destination IP 172.98.193.42 Destination IP 142.4.204.111 Destination IP 162.248.241.94 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 63.231.92.27 Destination IP 51.255.211.146 Destination IP 217.12.210.54 Destination IP 5.135.183.146 Destination IP 45.63.124.65 Destination IP 51.255.211.146 Destination IP 147.135.185.78 Destination IP 185.121.177.177 Destination IP 63.231.92.27 Destination IP 147.135.185.78 Destination IP 185.121.177.177 Destination IP 35.196.105.24 Destination IP 45.32.160.206 Destination IP 162.248.241.94 Destination IP 51.255.211.146 Destination IP 45.32.160.206 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3736 rundll32.exe 3736 rundll32.exe