Overview

overview

10

Static

static

f28be13e3b...32.dll

windows7-x64

10

f28be13e3b...32.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    129s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f28be13e3bdf3c25916f7a6712465bc2405afb6b5931db2fc5f5d1316f7c5332.dll

  • Size

    184KB

  • MD5

    64c2681e0741e4a504862266d6dee021

  • SHA1

    4c7af8e37bb21b47e92c3194d105420684295893

  • SHA256

    f28be13e3bdf3c25916f7a6712465bc2405afb6b5931db2fc5f5d1316f7c5332

  • SHA512

    1510dae97b5900ef6a1b5223649ca8ea2567b256b2cbcdf47c808401d83563c42ce2211147bb668c5433f7fc2537eb3faca0e698a5782690d9dd13705e2c7616

  • SSDEEP

    3072:qvXmimD0k0QRW1PhI1sItKOgGdX3DUP+ooqApFtEU1aFjKGyfHaWlmgM89Wl:q+fD/0QSzItKOgGFYGooqKEQf6WzMh

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 19 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f28be13e3bdf3c25916f7a6712465bc2405afb6b5931db2fc5f5d1316f7c5332.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f28be13e3bdf3c25916f7a6712465bc2405afb6b5931db2fc5f5d1316f7c5332.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:5040
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 204
                6⤵
                • Program crash
                PID:4284
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:4312
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1992
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 5040 -ip 5040
      1⤵
        PID:4992

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        92KB

        MD5

        e6d2ce425ee7875c2b6006c7ca938f16

        SHA1

        b47bd42fbe8948ca5284e7d4d7d98464f5834d12

        SHA256

        69379c2c6b3da8617d2af7e2745f929dc1545297ff0b4d5e3e1c50643b091101

        SHA512

        bbac6540b44e5413b37e6dada09e78602a790178352fcd2b0a357272b16de0e594b89952ed7d725639edc44dad94d6cffd61c6c2e74d551afd3d30d874d364cb

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        92KB

        MD5

        e6d2ce425ee7875c2b6006c7ca938f16

        SHA1

        b47bd42fbe8948ca5284e7d4d7d98464f5834d12

        SHA256

        69379c2c6b3da8617d2af7e2745f929dc1545297ff0b4d5e3e1c50643b091101

        SHA512

        bbac6540b44e5413b37e6dada09e78602a790178352fcd2b0a357272b16de0e594b89952ed7d725639edc44dad94d6cffd61c6c2e74d551afd3d30d874d364cb

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        92KB

        MD5

        e6d2ce425ee7875c2b6006c7ca938f16

        SHA1

        b47bd42fbe8948ca5284e7d4d7d98464f5834d12

        SHA256

        69379c2c6b3da8617d2af7e2745f929dc1545297ff0b4d5e3e1c50643b091101

        SHA512

        bbac6540b44e5413b37e6dada09e78602a790178352fcd2b0a357272b16de0e594b89952ed7d725639edc44dad94d6cffd61c6c2e74d551afd3d30d874d364cb

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        92KB

        MD5

        e6d2ce425ee7875c2b6006c7ca938f16

        SHA1

        b47bd42fbe8948ca5284e7d4d7d98464f5834d12

        SHA256

        69379c2c6b3da8617d2af7e2745f929dc1545297ff0b4d5e3e1c50643b091101

        SHA512

        bbac6540b44e5413b37e6dada09e78602a790178352fcd2b0a357272b16de0e594b89952ed7d725639edc44dad94d6cffd61c6c2e74d551afd3d30d874d364cb

        Download Submit

      • memory/2080-156-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2080-153-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2080-155-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2080-157-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2080-146-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2080-148-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2080-149-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2080-154-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2632-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2632-142-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2632-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download