80a693047e680f035cdaf43be22f028b0e6a9b505f2b9f76880c556b7c44cd44

Analysis

max time kernel
47s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-04-2022 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80a693047e680f035cdaf43be22f028b0e6a9b505f2b9f76880c556b7c44cd44.dll
Size

2.1MB
MD5

15cc14b87da73661d0abc9f5aaa34350
SHA1

408df0b361e8e6369069478b9908ed52335f4be9
SHA256

80a693047e680f035cdaf43be22f028b0e6a9b505f2b9f76880c556b7c44cd44
SHA512

a99d6663cb61583176ec0ce6cb95f47fea1450b8ece18de09e72e2e43c6f678c5a3c18ecd1b527802aaccde17d22b269fd4bf0c9970803bd9371274c6c100b57

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE ComRAT CnC Domain in DNS Lookup
suricata: ET MALWARE ComRAT CnC Domain in DNS Lookup
suricata

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3340	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	rundll32.exe
Token: SeDebugPrivilege	5056	rundll32.exe
Token: SeDebugPrivilege	5056	rundll32.exe
Token: SeDebugPrivilege	5056	rundll32.exe
Token: SeDebugPrivilege	5056	rundll32.exe
Token: SeDebugPrivilege	5056	rundll32.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3488	5056	rundll32.exe	77
PID 5056 wrote to memory of 3488	5056	rundll32.exe	77
PID 5056 wrote to memory of 3680	5056	rundll32.exe	79
PID 5056 wrote to memory of 3680	5056	rundll32.exe	79
PID 5056 wrote to memory of 3372	5056	rundll32.exe	81
PID 5056 wrote to memory of 3372	5056	rundll32.exe	81
PID 3372 wrote to memory of 3340	3372	cmd.exe	83
PID 3372 wrote to memory of 3340	3372	cmd.exe	83
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 2152	5056	rundll32.exe	85
PID 5056 wrote to memory of 2152	5056	rundll32.exe	85
PID 5056 wrote to memory of 2152	5056	rundll32.exe	85
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 3000	5056	rundll32.exe	84
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 5012	5056	rundll32.exe	87
PID 5056 wrote to memory of 5012	5056	rundll32.exe	87
PID 5056 wrote to memory of 5012	5056	rundll32.exe	87
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 4504	5056	rundll32.exe	86
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2356	5056	rundll32.exe	89
PID 5056 wrote to memory of 2356	5056	rundll32.exe	89
PID 5056 wrote to memory of 2356	5056	rundll32.exe	89
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88
PID 5056 wrote to memory of 2024	5056	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80a693047e680f035cdaf43be22f028b0e6a9b505f2b9f76880c556b7c44cd44.dll,#1
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\System32\cmd.exe
  /c "dir"
  2⤵
  PID:3488
- C:\Windows\System32\cmd.exe
  /c "set"
  2⤵
  PID:3680
- C:\Windows\System32\cmd.exe
  /c "ipconfig /all"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3340
- \??\c:\program files\internet explorer\iexplore.exe
  "c:\program files\internet explorer\iexplore.exe"
  2⤵
  PID:3000
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2152
- \??\c:\program files\internet explorer\iexplore.exe
  "c:\program files\internet explorer\iexplore.exe"
  2⤵
  PID:4504
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:5012
- \??\c:\program files\internet explorer\iexplore.exe
  "c:\program files\internet explorer\iexplore.exe"
  2⤵
  PID:2024
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3000-134-0x0000028184890000-0x00000281848A2000-memory.dmp

Filesize
72KB

Download