Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-04-2022 02:22
Static task
static1
Behavioral task
behavioral1
Sample
d0a4ab1f0e390d232ff3790f6569f31915fbdab40f2b6d1813f8ffbdc83c3b9f.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d0a4ab1f0e390d232ff3790f6569f31915fbdab40f2b6d1813f8ffbdc83c3b9f.dll
Resource
win10v2004-20220414-en
General
-
Target
d0a4ab1f0e390d232ff3790f6569f31915fbdab40f2b6d1813f8ffbdc83c3b9f.dll
-
Size
97KB
-
MD5
644f833fce3d075c4a0cc44cdc59e0fd
-
SHA1
2aa95fa0d93a1a678e0bd891bdb5f990ab930a83
-
SHA256
d0a4ab1f0e390d232ff3790f6569f31915fbdab40f2b6d1813f8ffbdc83c3b9f
-
SHA512
3c2ab610126b750e6cb7d49fce723b157cc6da80fa20477c68d7e0de06b35f319352940faff43c37afbb1214f54e8482ca4837571a7d610a746d04e538bb86c0
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
rundll32.exeflow pid process 10 1388 rundll32.exe 11 1388 rundll32.exe 12 1388 rundll32.exe 13 1388 rundll32.exe 14 1388 rundll32.exe 15 1388 rundll32.exe 16 1388 rundll32.exe 17 1388 rundll32.exe 18 1388 rundll32.exe 19 1388 rundll32.exe 20 1388 rundll32.exe 21 1388 rundll32.exe 23 1388 rundll32.exe 24 1388 rundll32.exe 25 1388 rundll32.exe 26 1388 rundll32.exe 27 1388 rundll32.exe 28 1388 rundll32.exe 31 1388 rundll32.exe 32 1388 rundll32.exe 33 1388 rundll32.exe 34 1388 rundll32.exe 35 1388 rundll32.exe 36 1388 rundll32.exe 37 1388 rundll32.exe 38 1388 rundll32.exe 39 1388 rundll32.exe 40 1388 rundll32.exe 41 1388 rundll32.exe 42 1388 rundll32.exe 43 1388 rundll32.exe 44 1388 rundll32.exe 46 1388 rundll32.exe 47 1388 rundll32.exe 48 1388 rundll32.exe 49 1388 rundll32.exe 50 1388 rundll32.exe 51 1388 rundll32.exe 52 1388 rundll32.exe 53 1388 rundll32.exe 54 1388 rundll32.exe 55 1388 rundll32.exe 56 1388 rundll32.exe 57 1388 rundll32.exe 58 1388 rundll32.exe 59 1388 rundll32.exe 60 1388 rundll32.exe 61 1388 rundll32.exe 62 1388 rundll32.exe 63 1388 rundll32.exe 64 1388 rundll32.exe 65 1388 rundll32.exe 66 1388 rundll32.exe 67 1388 rundll32.exe 68 1388 rundll32.exe 69 1388 rundll32.exe 70 1388 rundll32.exe 71 1388 rundll32.exe 72 1388 rundll32.exe 73 1388 rundll32.exe 74 1388 rundll32.exe 75 1388 rundll32.exe 76 1388 rundll32.exe 77 1388 rundll32.exe -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 145 ddegkmdlggkq.bazar 271 afeiilangiip.bazar 173 bdfgilblhgip.bazar 427 bdehjkblghjo.bazar 549 cefikkcmhiko.bazar 96 bdegjkblggjo.bazar 255 dfegkkdnggko.bazar 393 dceijmdkgijq.bazar 445 aefgjlamhgjp.bazar 108 ddehimdlghiq.bazar 131 ddehimdlghiq.bazar 555 cefikkcmhiko.bazar 412 bdehjkblghjo.bazar 429 aefgjlamhgjp.bazar 453 aefgjlamhgjp.bazar 515 dceijldkgijp.bazar 177 bdfgilblhgip.bazar 438 aefgjlamhgjp.bazar 189 bdfgilblhgip.bazar 533 cefhjmcmhhjq.bazar 73 dcegjldkggjp.bazar 119 ddehimdlghiq.bazar 135 ddehimdlghiq.bazar 161 ddegkmdlggkq.bazar 48 dcegjldkggjp.bazar 281 afeiilangiip.bazar 430 aefgjlamhgjp.bazar 442 aefgjlamhgjp.bazar 345 afehjlanghjp.bazar 440 aefgjlamhgjp.bazar 402 bdehjkblghjo.bazar 513 dceijldkgijp.bazar 293 afeiilangiip.bazar 343 afehjlanghjp.bazar 346 afehjlanghjp.bazar 356 afehjlanghjp.bazar 52 dcegjldkggjp.bazar 184 bdfgilblhgip.bazar 208 aegijmamiijq.bazar 321 ceggjkcmigjo.bazar 507 dceijldkgijp.bazar 179 bdfgilblhgip.bazar 204 bdfgilblhgip.bazar 416 bdehjkblghjo.bazar 436 aefgjlamhgjp.bazar 285 afeiilangiip.bazar 447 aefgjlamhgjp.bazar 545 cefhjmcmhhjq.bazar 62 dcegjldkggjp.bazar 494 dceijldkgijp.bazar 544 cefhjmcmhhjq.bazar 394 dceijmdkgijq.bazar 461 adeiimalgiiq.bazar 53 dcegjldkggjp.bazar 163 ddegkmdlggkq.bazar 467 adeiimalgiiq.bazar 83 bdegjkblggjo.bazar 95 bdegjkblggjo.bazar 379 dceijmdkgijq.bazar 499 dceijldkgijp.bazar 307 ceggjkcmigjo.bazar 320 ceggjkcmigjo.bazar 414 bdehjkblghjo.bazar 536 cefhjmcmhhjq.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 147.135.185.78 Destination IP 217.12.210.54 Destination IP 89.35.39.64 Destination IP 45.32.160.206 Destination IP 169.239.202.202 Destination IP 69.164.196.21 Destination IP 163.172.185.51 Destination IP 169.239.202.202 Destination IP 208.67.220.220 Destination IP 63.231.92.27 Destination IP 45.63.124.65 Destination IP 142.4.205.47 Destination IP 94.177.171.127 Destination IP 169.239.202.202 Destination IP 82.141.39.32 Destination IP 185.164.136.225 Destination IP 51.255.211.146 Destination IP 142.4.205.47 Destination IP 142.4.204.111 Destination IP 5.45.97.127 Destination IP 176.126.70.119 Destination IP 63.231.92.27 Destination IP 142.4.204.111 Destination IP 45.63.124.65 Destination IP 185.121.177.177 Destination IP 147.135.185.78 Destination IP 77.73.68.161 Destination IP 139.59.23.241 Destination IP 162.248.241.94 Destination IP 69.164.196.21 Destination IP 82.141.39.32 Destination IP 167.99.153.82 Destination IP 96.47.228.108 Destination IP 89.35.39.64 Destination IP 163.172.185.51 Destination IP 45.32.160.206 Destination IP 5.135.183.146 Destination IP 147.135.185.78 Destination IP 208.67.220.220 Destination IP 185.121.177.177 Destination IP 185.164.136.225 Destination IP 35.196.105.24 Destination IP 147.135.185.78 Destination IP 139.59.23.241 Destination IP 139.59.23.241 Destination IP 167.99.153.82 Destination IP 208.67.220.220 Destination IP 77.73.68.161 Destination IP 172.104.136.243 Destination IP 35.196.105.24 Destination IP 208.67.220.220 Destination IP 142.4.204.111 Destination IP 192.99.85.244 Destination IP 172.104.136.243 Destination IP 176.126.70.119 Destination IP 185.164.136.225 Destination IP 192.99.85.244 Destination IP 192.99.85.244 Destination IP 35.196.105.24 Destination IP 217.12.210.54 Destination IP 63.231.92.27 Destination IP 185.121.177.177 Destination IP 142.4.205.47 Destination IP 208.67.220.220 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1388 rundll32.exe 1388 rundll32.exe