f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70

General

Target

f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70.dll
Size

4.6MB
MD5

3e1ed972a8d8bdc771949e28d68cd3f3
SHA1

2cdf048397f297b21d146864800c911e42bdf223
SHA256

f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70
SHA512

d68a053aa2325182b7582b409039d6edfbcf48ff6027acde62c33441e587e409aa015d55df27d57947a68ff946152ac6dcd972facf25fefba95e6b00d0c4df84
SSDEEP

98304:Bvrr7GMY+Ukb8fljBEB/X+eMC/Q56aYMsrHRc/2nBmmk1FXUessPF:tr/meBPRMC/nalsT+/WmBFXO0

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

1440 dwm.exe

pid	process
1440	dwm.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe	vmprotect
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe	vmprotect
behavioral1/memory/1440-61-0x000000013FD50000-0x00000001400FD000-memory.dmp	vmprotect
behavioral1/memory/1440-64-0x000000013FD50000-0x00000001400FD000-memory.dmp	vmprotect
behavioral1/memory/1440-66-0x000000013FD50000-0x00000001400FD000-memory.dmp	vmprotect

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1080 rundll32.exe
1972
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dwm.exe

pid process

1440 dwm.exe

pid	process
1440	dwm.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

rundll32.exe

pid	process
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dwm.exe

description pid process

Token: SeLockMemoryPrivilege 1440 dwm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rundll32.exe

pid process

1080 rundll32.exe
1080 rundll32.exe

description	pid	process
Token: SeLockMemoryPrivilege	1440	dwm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 748 wrote to memory of 1080	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1080	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1080	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1080	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1080	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1080	748	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1080	748	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1440	1080	rundll32.exe	dwm.exe
PID 1080 wrote to memory of 1440	1080	rundll32.exe	dwm.exe
PID 1080 wrote to memory of 1440	1080	rundll32.exe	dwm.exe
PID 1080 wrote to memory of 1440	1080	rundll32.exe	dwm.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70.dll,#1
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -dbg -1 -p x -u 48mqxx742xV9MJHqHy7XQVJYKT6j1SmJBJTeJSRD2zfve1NdSg9io4yWUCsc7JJH8bgDg9opBicsJZtLTAGzswRiGZGUJ6v.2
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
memory/1080-54-0x0000000000000000-mapping.dmp

Download
memory/1080-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1080-65-0x00000000025F0000-0x000000000299D000-memory.dmp

Filesize
3.7MB

Download
memory/1440-57-0x0000000000000000-mapping.dmp

Download
memory/1440-61-0x000000013FD50000-0x00000001400FD000-memory.dmp

Filesize
3.7MB

Download
memory/1440-64-0x000000013FD50000-0x00000001400FD000-memory.dmp

Filesize
3.7MB

Download
memory/1440-66-0x000000013FD50000-0x00000001400FD000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads