Overview

overview

8

Static

static

2b0d09433e...c4.dll

windows7-x64

8

2b0d09433e...c4.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b0d09433e0f203c50e0823f8a91cc9692aa67aec9bda04df5386049875b13c4.dll

  • Size

    300KB

  • MD5

    7b7eaaf107e4bc435c936213a22be9d0

  • SHA1

    f88a200fac18e323a1c6f04addba3d5f33c58518

  • SHA256

    2b0d09433e0f203c50e0823f8a91cc9692aa67aec9bda04df5386049875b13c4

  • SHA512

    b6af7edc5678c78d1e7c70632826c171a96f7b3bf8cafd68c20d6a90bdd12c1f8d62e58ba2515a96d679ddb335b456783d8a23a9e6e0d388fdf2dc932c7bfaa7

  • SSDEEP

    3072:ngKKuiX63bw5dNjDh8pWVgTlFIYn75q2dojA0DgU54Zf7WkoDycE5VN2tY:gKZp3KNjVGvt1GAu54qLVC

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b0d09433e0f203c50e0823f8a91cc9692aa67aec9bda04df5386049875b13c4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b0d09433e0f203c50e0823f8a91cc9692aa67aec9bda04df5386049875b13c4.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4968
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3392
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2516
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    7de3527d962389a61a0825bebf9031b7

    SHA1

    ffc04b363ec1d3976e454446827d36813002a9b7

    SHA256

    63db191be3bdce3f969a6f457edaa2bf5c9ec863a311540d719ad80ca9ce4a19

    SHA512

    57220b86487cefb01b4c2b9b904a147ea35133f490d5da092dbf10e1568c14a2f1359ed36529edc779335a9f4530c25a67d2065620379eec0e682b03389ae91d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    7de3527d962389a61a0825bebf9031b7

    SHA1

    ffc04b363ec1d3976e454446827d36813002a9b7

    SHA256

    63db191be3bdce3f969a6f457edaa2bf5c9ec863a311540d719ad80ca9ce4a19

    SHA512

    57220b86487cefb01b4c2b9b904a147ea35133f490d5da092dbf10e1568c14a2f1359ed36529edc779335a9f4530c25a67d2065620379eec0e682b03389ae91d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    434B

    MD5

    f3ddeafe553c5913d695c76f9c196f75

    SHA1

    2a2126f6043a7be5d780f6ff7d7e022635c52053

    SHA256

    cda463945b0f509282c7f6b23f22b7623966b448e07ac40d12deb7d5fe7433bf

    SHA512

    222197ac741739224b67597d3962302fe15d987295260701b891c2a4c53726be94bb829a9967e7005f4534349db9a43df1982215c0bdf8b416bd63003fa11bb0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    434B

    MD5

    a9c8b5a59e69b1a32cd3d724789eb678

    SHA1

    f6f64ed5bd0664a08724c4988ba81d04416d164d

    SHA256

    b860248ab72b169f94fbc683e134df6c0f1af0e1f6c887b9fefb0e4714d9b819

    SHA512

    20ca17f6e91dd54d536073e85bd452ce917068d25f50aeca8afb1e4d27ae82b1a37dcf83705d4f1782cf1562baaf6a66ac5f2f55bd4eaf380c48230b14029bbb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{37A225E0-49FE-11ED-A0EE-CA596584895B}.dat
    Filesize

    5KB

    MD5

    9768e918db722a1725edf4b00621f85b

    SHA1

    a232c0af9732b519e80dc47a54eb6ca8a536f1ab

    SHA256

    ab20ac406f32acbf6954767e0a21b5e590781228424455390f7ba80018751848

    SHA512

    1d0733eb3d1323ad8b3b6252ea26d1f608d7ad78571ed903e122543d583fb9a235716a66dcb4c0397e9073269bec2ee936dd66353f3845eae9a5d3ecf45d4312

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{37ABB22C-49FE-11ED-A0EE-CA596584895B}.dat
    Filesize

    5KB

    MD5

    ef21a510098e9f16cfa69d3ecfad0ba3

    SHA1

    9ef023cd78a7938f6a27428622e110dc214aa700

    SHA256

    cd7824cb44e329e5ae5650e6e2cc5c747278251bfbf28d7f26b406a490e2c277

    SHA512

    9c454e0042fec793b70bdc7cb87c78f2e82f8a9365a19baedc0c71f99e09f3e6b2775f420d82c9e61dacd958ec8f87a555d940308ce7c5e1b69348dec3a3c9d4

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    184KB

    MD5

    db09b05ab8a6d78115a57e64f32e5ffc

    SHA1

    35ad456f7f07ab7997f57f7a3c30f015cd0aff3f

    SHA256

    c4fab6a9118f3de90807501ef356cb301ed3cd713c1e9bd138604f5a6ab93c94

    SHA512

    a8be91b4329d9b94fbd3ed40718c352dd3385e625960bea2872d892a754a15f87c109917a4231d86e03b86578c9c4631f47ec330167ca97f2ddb51669f43c0d3

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    184KB

    MD5

    db09b05ab8a6d78115a57e64f32e5ffc

    SHA1

    35ad456f7f07ab7997f57f7a3c30f015cd0aff3f

    SHA256

    c4fab6a9118f3de90807501ef356cb301ed3cd713c1e9bd138604f5a6ab93c94

    SHA512

    a8be91b4329d9b94fbd3ed40718c352dd3385e625960bea2872d892a754a15f87c109917a4231d86e03b86578c9c4631f47ec330167ca97f2ddb51669f43c0d3

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgrmgr.exe
    Filesize

    91KB

    MD5

    551161ba25d6c58cf6a4afe7587f7dcb

    SHA1

    3f36d947c0d082433bb121a9914b4841ffbfb5af

    SHA256

    f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58

    SHA512

    f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgrmgr.exe
    Filesize

    91KB

    MD5

    551161ba25d6c58cf6a4afe7587f7dcb

    SHA1

    3f36d947c0d082433bb121a9914b4841ffbfb5af

    SHA256

    f676ab20252c6ff437c7e3db1a8a3875715bf1a5a59812439f296cb5cd724b58

    SHA512

    f68a52bcfafccaf9b4390f7cdd9a57544d82a1f41656aeaf98f46ddc0198e636a790088cf8b734244cc5144a00704a8430e469c46284387d04c5a38cba17b00e

    Download Submit

  • memory/4968-149-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4968-147-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/4968-144-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4968-156-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/5056-148-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5056-145-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download