Analysis
-
max time kernel
36s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 09:57
Behavioral task
behavioral1
Sample
e009fcbdd65aec859f46fd1df2125a54f576cf911320d1466eab1eedca2d49f6.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e009fcbdd65aec859f46fd1df2125a54f576cf911320d1466eab1eedca2d49f6.dll
Resource
win10v2004-20220414-en
General
-
Target
e009fcbdd65aec859f46fd1df2125a54f576cf911320d1466eab1eedca2d49f6.dll
-
Size
190KB
-
MD5
ba24b39f758851081ab4c49b8e832a0f
-
SHA1
cc101fef49cdd1bb2b86610cc6cac02492cd539e
-
SHA256
e009fcbdd65aec859f46fd1df2125a54f576cf911320d1466eab1eedca2d49f6
-
SHA512
b988ccdce9ef5947df0f773a4451b66a629496ab84eb2c9a1612185b7c2c5aaeb2b973cf29480d239d8b60fccd7ab240c46d7c782563f5fd36df3c433c0b50bd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ԳայլըсԳայլըПФрКЕыԳայլը.exepid process 2040 ԳայլըсԳայլըПФрКЕыԳայլը.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1220 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1260 wrote to memory of 1220 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1220 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1220 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1220 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1220 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1220 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1220 1260 rundll32.exe rundll32.exe PID 1220 wrote to memory of 2040 1220 rundll32.exe ԳայլըсԳայլըПФрКЕыԳայլը.exe PID 1220 wrote to memory of 2040 1220 rundll32.exe ԳայլըсԳայլըПФрКЕыԳայլը.exe PID 1220 wrote to memory of 2040 1220 rundll32.exe ԳայլըсԳայլըПФрКЕыԳայլը.exe PID 1220 wrote to memory of 2040 1220 rundll32.exe ԳայլըсԳայլըПФрКЕыԳայլը.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e009fcbdd65aec859f46fd1df2125a54f576cf911320d1466eab1eedca2d49f6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e009fcbdd65aec859f46fd1df2125a54f576cf911320d1466eab1eedca2d49f6.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլը.exe"C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլը.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլը.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլը.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
memory/1220-54-0x0000000000000000-mapping.dmp
-
memory/1220-55-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB
-
memory/2040-57-0x0000000000000000-mapping.dmp