Analysis
-
max time kernel
175s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 19:39
Static task
static1
Behavioral task
behavioral1
Sample
66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09.dll
Resource
win7-20220812-en
General
-
Target
66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09.dll
-
Size
156KB
-
MD5
a7715ab03671b7ad07badcafb52bc5a3
-
SHA1
4fbf6b905ba591e66782daf1a05e8004f462203b
-
SHA256
66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09
-
SHA512
1107fa4382f08bdcaddc392c0dfe38031ce7faedb926843c6e6bfc749ec3ac580ae62eaf9f5ca7934db42d0a8becd04364f74560496426ab5b7d7f1a59fc9494
-
SSDEEP
3072:4xrFrIhR08c8cNDgvuZrXFmBGVDjIO6o3o5WIf:ErFchR+8cNcvErXF+PNo3yJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 856 rundll32mgr.exe -
Processes:
resource yara_rule behavioral2/memory/856-138-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/856-139-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/856-140-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2352 2276 WerFault.exe rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999401" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375829982" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999401" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3961437748" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3961437748" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{05DA723C-6F5D-11ED-919F-D668443210E4} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32mgr.exepid process 856 rundll32mgr.exe 856 rundll32mgr.exe 856 rundll32mgr.exe 856 rundll32mgr.exe 856 rundll32mgr.exe 856 rundll32mgr.exe 856 rundll32mgr.exe 856 rundll32mgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32mgr.exedescription pid process Token: SeDebugPrivilege 856 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4704 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4704 iexplore.exe 4704 iexplore.exe 2572 IEXPLORE.EXE 2572 IEXPLORE.EXE 2572 IEXPLORE.EXE 2572 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
rundll32mgr.exepid process 856 rundll32mgr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeiexplore.exedescription pid process target process PID 2688 wrote to memory of 2276 2688 rundll32.exe rundll32.exe PID 2688 wrote to memory of 2276 2688 rundll32.exe rundll32.exe PID 2688 wrote to memory of 2276 2688 rundll32.exe rundll32.exe PID 2276 wrote to memory of 856 2276 rundll32.exe rundll32mgr.exe PID 2276 wrote to memory of 856 2276 rundll32.exe rundll32mgr.exe PID 2276 wrote to memory of 856 2276 rundll32.exe rundll32mgr.exe PID 856 wrote to memory of 4704 856 rundll32mgr.exe iexplore.exe PID 856 wrote to memory of 4704 856 rundll32mgr.exe iexplore.exe PID 4704 wrote to memory of 2572 4704 iexplore.exe IEXPLORE.EXE PID 4704 wrote to memory of 2572 4704 iexplore.exe IEXPLORE.EXE PID 4704 wrote to memory of 2572 4704 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66a0ea8de59c6924c29afbc8d5706cece37edd9cc56602a32f81c45be1b99e09.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 6683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2276 -ip 22761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
129KB
MD5136ec6fc6d20477735fc35c3d9c817d2
SHA1a29426a337b4be6bb0641463f13a6f2c3102bcf1
SHA2563ae76ee416ef817656fd489d69649f1bfa5f5f242d3a6caa82f9212f40f76c32
SHA512431b1bb7cd27daa55fd83167f25cebcf1028b1e1ab8e4537ec237cfb1fb44ebecd3dd2c64e8b5a8822916acf6ff3fd2efd44621d2f50f45db9a448e97e6025bd
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
129KB
MD5136ec6fc6d20477735fc35c3d9c817d2
SHA1a29426a337b4be6bb0641463f13a6f2c3102bcf1
SHA2563ae76ee416ef817656fd489d69649f1bfa5f5f242d3a6caa82f9212f40f76c32
SHA512431b1bb7cd27daa55fd83167f25cebcf1028b1e1ab8e4537ec237cfb1fb44ebecd3dd2c64e8b5a8822916acf6ff3fd2efd44621d2f50f45db9a448e97e6025bd
-
memory/856-133-0x0000000000000000-mapping.dmp
-
memory/856-138-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/856-139-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/856-140-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2276-132-0x0000000000000000-mapping.dmp
-
memory/2276-141-0x0000000004800000-0x0000000004827000-memory.dmpFilesize
156KB