Overview

overview

9

Static

static

9

435d51cacb...e0.dll

windows7_x64

8

435d51cacb...e0.dll

windows10-2004_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-06-2022 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    435d51cacb6bd9222d3165df22c2306e072403f0765a6f57224ab5a732305ae0.dll

  • Size

    199KB

  • MD5

    2bd1db3a5357dcf620bf979eee24d073

  • SHA1

    089424f4975b51b4f549ca7c261f553da3aa0a8d

  • SHA256

    435d51cacb6bd9222d3165df22c2306e072403f0765a6f57224ab5a732305ae0

  • SHA512

    f009d9feb6cc4e2eb96f410b86cd8fb78b865e25d600172a613c11bdb0f484f0bb549d8daf0656330923f8bca79f7b5aa8bc11692e4e62e1b4c78a746d084a40

Score
8/10
evasionupx

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies Internet Explorer Protected Mode 1 TTPs 15 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\435d51cacb6bd9222d3165df22c2306e072403f0765a6f57224ab5a732305ae0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\435d51cacb6bd9222d3165df22c2306e072403f0765a6f57224ab5a732305ae0.dll,#1
      2⤵
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
          PID:1176
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          3⤵
          • Modifies Internet Explorer Protected Mode
          • Modifies Internet Explorer Protected Mode Banner
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          PID:1984
        • C:\Windows\SysWOW64\notepad.exe
          notepad.exe
          3⤵
          • Modifies Internet Explorer Protected Mode
          • Modifies Internet Explorer Protected Mode Banner
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          PID:1560
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\system32\ctfmon.exe
        ctfmon.exe
        2⤵
        • Suspicious use of FindShellTrayWindow
        PID:468
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1900

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9OV64RRP.txt
      Filesize

      606B

      MD5

      94f27efc230f55e13fd21623241b1575

      SHA1

      23a5f4735f15fc071b38b08c88c17d26e907ee14

      SHA256

      56e90bbdc8dd837890487d36f2ec29501d1e1575a7b5163e4fed56b94069c58a

      SHA512

      d81a7a06c436d90d0c301249e2bfee4b25b5b13b59d60c2e484636e19ff37fa8b89a275fc3061376f584196a501b5ce20fabd4b8cded94ea6864b81ebbb24077

      Download Submit

    • memory/468-67-0x0000000000000000-mapping.dmp

      Download

    • memory/1176-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1176-65-0x0000000074AE1000-0x0000000074AE3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1560-73-0x00000000002F0000-0x000000000033C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1560-71-0x0000000000000000-mapping.dmp

      Download

    • memory/1560-76-0x00000000002F0000-0x000000000033C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1560-74-0x00000000002F0000-0x000000000033C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1736-68-0x00000000037C0000-0x00000000037D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1736-66-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1928-57-0x0000000000150000-0x000000000019C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1928-60-0x00000000001B0000-0x00000000001C5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1928-58-0x0000000000150000-0x000000000019C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1928-54-0x0000000000000000-mapping.dmp

      Download

    • memory/1928-59-0x0000000000160000-0x00000000001AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1928-55-0x0000000075401000-0x0000000075403000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1984-69-0x0000000000270000-0x00000000002BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1984-70-0x0000000000270000-0x00000000002BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1984-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1984-75-0x0000000000270000-0x00000000002BC000-memory.dmp

      Filesize

      304KB

      Download