Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
20/10/2022, 12:41
General
-
Target
1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll
-
Size
454KB
-
MD5
a003aa5c85856f5d4f5ab277358ea710
-
SHA1
6845fd9cdd1d20c94918aabe87942638b7797762
-
SHA256
1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be
-
SHA512
c469cdbf3ac71f0dbad89dd5c50822aa82ecd83307b0e8eef0e0d74d056119a223336f75eb192abe4b8a91916bc2beb045376a317336bd270abf7ffbe20e28a7
-
SSDEEP
12288:7xGCOXzURlbDC9K69u2m+SqOWcsQQKiY4leDDGoggH/VREG6j4Gm01b8nPCFZyQ9:twXz2aFZ3Tf
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Program crash 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 53 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 2047⤵
- Program crash
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4800 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4548 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 2048⤵
- Program crash
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 2046⤵
- Program crash
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 6283⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5024 -ip 50241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1408 -ip 14081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4352 -ip 43521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4240 -ip 42401⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
471B
MD57550b85aee4221c59808672005ed8855
SHA1aeb269eff06f518132b9ecea824523fa125ba2d2
SHA2562b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2
SHA512216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab
-
Filesize
471B
MD57550b85aee4221c59808672005ed8855
SHA1aeb269eff06f518132b9ecea824523fa125ba2d2
SHA2562b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2
SHA512216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab
-
Filesize
434B
MD5a25a44e9e385d32b3a36f35a93ec4115
SHA1e7bcfead5852fa7b40d4b39038f55230fa0c02c4
SHA256dae1654fa80f929481f49bf148f3b820972fc51684cc621bf7abf2a0526e0b6a
SHA512e4b2dc4eefe232bb3e85b67a6b3c5a86f27290614fd8db0524928e7d52045b4c82c290a866ddfceb143b1afd018b8f219090d7fc2e2a924f29684fdf7587e6cd
-
Filesize
434B
MD51590003a44fcb0f08b4b703ab4928dcd
SHA1e89bba23182d08959706cdd803a572eee57b6b22
SHA256c32bfbfec52a01857dc6b3f86cd9aa3255097f5d5ee79ab7bcdb2deea7dec93c
SHA5125d62747e41955758bed47ad029da844b132d504f21c0ae7721315e6b5580cad15ad1ef5c5a9829361a57f102d4a0a7bb8f9fd703ab9edc813e79832015875308
-
Filesize
3KB
MD5001a56433bbb7859572519bdfc23b5b7
SHA1919891d43bd20ed0c9650b50433b10cd418d1224
SHA256380d7a60f743a50f78689ee6e8aee3514bda43602acb7fa21b2665acb059fc34
SHA512a044580a9dba7bbf9eb07b17b6ace648afa8291079f4e169a1942d32a1623da38fa576e1977bde7be0f9b244665cd70ea82d7c0a180bed3fac6faf2532a547f1
-
Filesize
5KB
MD5ec970dbe1e1cd9c4707e5764ccc7e1bb
SHA17b160c7091de9d97ac22f6552fce6940d2eda8b8
SHA2564e67d0fa8e6fdf84866845cc680310a25dcfd64ad6e6954d7423eecf6b6c15de
SHA51298969a1554eaa2575f886c458100f63fd39b98c39d51187ee92703bd4546d9f34818154c11e314355e5d320a99732fd45373669f24c2da7c1e927af89af3c7f8
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
132KB
-
Filesize
164KB
-
Filesize
132KB
-
Filesize
288KB
-
Filesize
132KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
484KB