Overview

overview

10

Static

static

81134622ef...67.dll

windows7-x64

10

81134622ef...67.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 04:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81134622ef48e098ac89fc5853d3a1d29835f2dd6a3c12e7b2e052cc6a810f67.dll

  • Size

    274KB

  • MD5

    60b03b9f62ef74c05816ab658a4bb420

  • SHA1

    1977cac573a88dfd084d5795a06652e566dd5183

  • SHA256

    81134622ef48e098ac89fc5853d3a1d29835f2dd6a3c12e7b2e052cc6a810f67

  • SHA512

    6de71442e793abf66d9adf6d75a4db31b1b00515c52240471f9fc1be93adc206e1750c224af90e757d35547997b2f34bea0a1d7bdf45f52a5da1fe4f55b7c903

  • SSDEEP

    6144:RatuZySlWDRI0jcAwcwypEGmFPHrA/8/5mB+9dnO6OJJVMs:R5yd3EcbpEGmFPVkBOO1Ms

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\81134622ef48e098ac89fc5853d3a1d29835f2dd6a3c12e7b2e052cc6a810f67.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\81134622ef48e098ac89fc5853d3a1d29835f2dd6a3c12e7b2e052cc6a810f67.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3820
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1816
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 204
                6⤵
                • Program crash
                PID:2304
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3392
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4660
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4008
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4008 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4620
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1816 -ip 1816
      1⤵
        PID:2028

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8001DF69-4400-11ED-B696-4A8324823CC0}.dat
        Filesize

        3KB

        MD5

        f13f6e8bdeba59e1303836f9e7e55b46

        SHA1

        9250211acaa0e64e4e28261756b439d55d315ee1

        SHA256

        0ffa7b2e24c1cfd3faeaf6b372b0580dd3044a93229499b232ccc1cc3a6f8bff

        SHA512

        e207e95140ab62d92f69b8a7fb4547f72c28688603849a5abe2d804e3f7fcef4b094a71293d885c5ee93c8151021f25d01861e87237cf1b69412c219ff8d11b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{80020679-4400-11ED-B696-4A8324823CC0}.dat
        Filesize

        3KB

        MD5

        abf14939993275b5d2838bfea58dcb8e

        SHA1

        0d3a22bb7bd413af5a6d5cb8d83cb4c9cb32a16d

        SHA256

        96823fd8ca223b68cd7645cd771e6393a3236261140b7d3d4a2c142abf1f41db

        SHA512

        64eb5b136442b6134d81756386a9324ea273048160ef05b75f26fe50b06183e1e35df283d23115045e5a7d5f15ba7ea16681ee0abdcf8620728994e7378e79f0

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit

      • memory/1816-144-0x0000000000000000-mapping.dmp

        Download

      • memory/2108-133-0x0000000000000000-mapping.dmp

        Download

      • memory/2108-137-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2108-141-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2108-142-0x0000000000470000-0x0000000000491000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3820-145-0x0000000000570000-0x0000000000591000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3820-146-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3820-147-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3820-148-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3820-138-0x0000000000000000-mapping.dmp

        Download

      • memory/5080-132-0x0000000000000000-mapping.dmp

        Download

      • memory/5080-136-0x0000000010000000-0x000000001004C000-memory.dmp

        Filesize

        304KB

        Download