Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 00:12
Static task
static1
Behavioral task
behavioral1
Sample
ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572.dll
Resource
win7-20220414-en
General
-
Target
ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572.dll
-
Size
3.4MB
-
MD5
1dc00acdb581b52fbc009ffa34997d8e
-
SHA1
141f592b11ec85b523d5bd56905a54956e20a4b6
-
SHA256
ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572
-
SHA512
168f48276a5dd084351340ec34af97c6a6c189ba6f614af2046d31ba12d50cdda71a7f23f2ee1e50030f9d060e5bd5a3fe32e76d87ab7e0313dd237238bb92ab
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
cmd.execmd.exeGetX64BTIT.exepid process 2388 cmd.exe 2708 cmd.exe 5032 GetX64BTIT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 55 api.ipify.org 56 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exeextrac32.execmd.exepid process 5060 rundll32.exe 4496 extrac32.exe 4496 extrac32.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe 2708 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
extrac32.exepid process 4496 extrac32.exe 4496 extrac32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exedescription pid process Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe Token: SeBackupPrivilege 5060 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rundll32.execmd.exepid process 5060 rundll32.exe 2708 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1056 wrote to memory of 5060 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 5060 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 5060 1056 rundll32.exe rundll32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe PID 5060 wrote to memory of 4496 5060 rundll32.exe extrac32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac2071e4dc5422825963da4f321466c4d3376498902b0ea1aa56e1e6ef576572.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\extrac32.exe"C:\Windows\system32\extrac32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeFilesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeFilesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\cmd.exeFilesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
C:\Users\Admin\AppData\Local\Temp\cmd.exeFilesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtFilesize
28B
MD520858d031991fe489673792b6dabdbfd
SHA1c8efad10143389f490efea43a94eb8296a43c15b
SHA25654b4be6dd02b61e0fc436ae94789e93520c0e0ea874dd231f1ef83d372a5675a
SHA512f470cb8257c2f762ecf7cd50cc184a9f675caa614d7927245f9dbbccaa9190535206942ac229cd5a0b79677c73c4b3617d5ea0aaca084e0958f54d047d28b5cf
-
memory/2388-137-0x0000000000000000-mapping.dmp
-
memory/2708-143-0x0000000000EA0000-0x0000000000EA7000-memory.dmpFilesize
28KB
-
memory/2708-140-0x0000000000000000-mapping.dmp
-
memory/2708-144-0x00007FFDFAA70000-0x00007FFDFAC65000-memory.dmpFilesize
2.0MB
-
memory/2708-149-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/4496-136-0x00007FFDFAA70000-0x00007FFDFAC65000-memory.dmpFilesize
2.0MB
-
memory/4496-135-0x0000000004740000-0x00000000047C2000-memory.dmpFilesize
520KB
-
memory/4496-141-0x0000000004746000-0x0000000004756000-memory.dmpFilesize
64KB
-
memory/4496-134-0x0000000002C90000-0x0000000002C98000-memory.dmpFilesize
32KB
-
memory/4496-132-0x0000000000000000-mapping.dmp
-
memory/5032-150-0x0000000000000000-mapping.dmp
-
memory/5060-130-0x0000000000000000-mapping.dmp
-
memory/5060-133-0x00000000029D0000-0x00000000029D9000-memory.dmpFilesize
36KB
-
memory/5060-131-0x0000000002600000-0x0000000002986000-memory.dmpFilesize
3.5MB