Analysis
-
max time kernel
136s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 04:53
Static task
static1
Behavioral task
behavioral1
Sample
7b06062372121380aca639a8d17b2a4e2e5f7f856dabb7144cb6305807250715.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7b06062372121380aca639a8d17b2a4e2e5f7f856dabb7144cb6305807250715.dll
Resource
win10v2004-20220812-en
General
-
Target
7b06062372121380aca639a8d17b2a4e2e5f7f856dabb7144cb6305807250715.dll
-
Size
208KB
-
MD5
641047a686acc9d7a47b1fd0af39f2d0
-
SHA1
8d471a8ed8d1a64c9b97d02b6a5b957a7780277f
-
SHA256
7b06062372121380aca639a8d17b2a4e2e5f7f856dabb7144cb6305807250715
-
SHA512
5d4e5b35864506f3c9ed8b7851cb873398fa13195df24850ee4dbaf162086e50bd5460bcd6e3bff2ce9e16e7f4c1df60e42db66ced7a7c529f53f5e8f07bb58d
-
SSDEEP
3072:uHfKj5SssNrNqZIitP2Siy8uZV0wp7IkjmjB+qYBakN+gK9Rv3Tp2Bg:u/Kj5SrN/2Vx7IkjkB+qYEkogK9NoBg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1656 rundll32mgr.exe -
resource yara_rule behavioral2/memory/1656-140-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/1656-141-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/1656-142-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3520 1568 WerFault.exe 81 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987827" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4218131079" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987827" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4128755419" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987827" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4128755419" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{20738E2B-4227-11ED-AECB-5203DB9D3E0F} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371462118" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1656 rundll32mgr.exe 1656 rundll32mgr.exe 1656 rundll32mgr.exe 1656 rundll32mgr.exe 1656 rundll32mgr.exe 1656 rundll32mgr.exe 1656 rundll32mgr.exe 1656 rundll32mgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5008 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1656 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5008 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5008 iexplore.exe 5008 iexplore.exe 1520 IEXPLORE.EXE 1520 IEXPLORE.EXE 1520 IEXPLORE.EXE 1520 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1656 rundll32mgr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3036 wrote to memory of 1568 3036 rundll32.exe 81 PID 3036 wrote to memory of 1568 3036 rundll32.exe 81 PID 3036 wrote to memory of 1568 3036 rundll32.exe 81 PID 1568 wrote to memory of 1656 1568 rundll32.exe 82 PID 1568 wrote to memory of 1656 1568 rundll32.exe 82 PID 1568 wrote to memory of 1656 1568 rundll32.exe 82 PID 1656 wrote to memory of 5008 1656 rundll32mgr.exe 84 PID 1656 wrote to memory of 5008 1656 rundll32mgr.exe 84 PID 5008 wrote to memory of 1520 5008 iexplore.exe 87 PID 5008 wrote to memory of 1520 5008 iexplore.exe 87 PID 5008 wrote to memory of 1520 5008 iexplore.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b06062372121380aca639a8d17b2a4e2e5f7f856dabb7144cb6305807250715.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b06062372121380aca639a8d17b2a4e2e5f7f856dabb7144cb6305807250715.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5008 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1520
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 6363⤵
- Program crash
PID:3520
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 15681⤵PID:4908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5f525b778e6901e8c416e2920e4e3dc0b
SHA1917ce8ae6d64bdd4dd438488176253022c57a083
SHA256c9eee793aa4aa79f35d393f9f1d863483aaf4004dea6ac19bda868e92a71f8bd
SHA512f6f47a4935c09769b8df316e1b459c7b153ed26ac409d4bf2ce62a1635dba4eaf7ce77de5ce83100d6f3ce7aadffed7591fb7cee7ac10a0c081a2d3c613f1ad8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD587617352e8ad2e2ee421bf4a032e0218
SHA182a58a1c4ee019a16c98c3929826d59d97a90abb
SHA2563771f58a9625c641bff2775ed2d4b9726e729fbe593a7bcf66e9136085dd6221
SHA51264b8d441c77bb2198516f45b9548e92b3982b71fe17633ff34af78575c83baa100c17a9b62e47c0a5003c36cceff5ba07494b8fd87aa6a2605f939f8b643fa1e
-
Filesize
88KB
MD5a61ea5f2325332c52bff5bce3d161336
SHA13a883b8241f5f2efaa76367240db800d78a0209c
SHA256e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b
SHA512fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5
-
Filesize
88KB
MD5a61ea5f2325332c52bff5bce3d161336
SHA13a883b8241f5f2efaa76367240db800d78a0209c
SHA256e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b
SHA512fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5