eb62a2999e8fe9cc49685bd090564c29d1d81b642b2df67c7ac2c6c13e9efd8f

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Conficker binaries/223D8089F8EE82F8B05266BAECAAC61E.dll
Size

56KB
MD5

223d8089f8ee82f8b05266baecaac61e
SHA1

6ede5f34e8717b470de10e56c99adc7c47307842
SHA256

a3617214a291590239cc686f97ef76841215ab0fd70bf35696e70b8f696a78de
SHA512

48accb32d1bd0f3c43f34518aa6872c3800449589573cc32719a2a0bd9fd4ae7ab07f964f9687eef9480c88e71bbb60c7d24b94a90ababb35df05a993b55eb58

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

4 284 rundll32.exe
5 284 rundll32.exe

flow	pid	process
4	284	rundll32.exe
5	284	rundll32.exe

Drops file in System32 directory 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\alysfuep.fue	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\alysfuep.fue	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1412 wrote to memory of 284	1412	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 284	1412	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 284	1412	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 284	1412	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 284	1412	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 284	1412	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 284	1412	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Conficker binaries\223D8089F8EE82F8B05266BAECAAC61E.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Conficker binaries\223D8089F8EE82F8B05266BAECAAC61E.dll",#1
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Modifies system certificate store
  PID:284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-54-0x0000000000000000-mapping.dmp

Download
memory/284-55-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/284-59-0x00000000000C0000-0x00000000000DC000-memory.dmp

Filesize
112KB

Download
memory/284-61-0x00000000000C0000-0x00000000000DC000-memory.dmp

Filesize
112KB

Download