Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2023 15:30
Behavioral task
behavioral1
Sample
cd1bb3e15e00395238f8f995f0f206bde69479d422c119517685fd009e951218.dll
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
cd1bb3e15e00395238f8f995f0f206bde69479d422c119517685fd009e951218.dll
Resource
win10v2004-20230621-en
General
-
Target
cd1bb3e15e00395238f8f995f0f206bde69479d422c119517685fd009e951218.dll
-
Size
2.9MB
-
MD5
71c3d24af19ec09608dabf93f56e8c80
-
SHA1
3da1104b67c1509c27c1236369016594a0641048
-
SHA256
cd1bb3e15e00395238f8f995f0f206bde69479d422c119517685fd009e951218
-
SHA512
0043022ac9ba177b19c04105c55cb6c75ca0d1aeb3f029cd1afe1dfee196306d4f55b481523a22ec61ab889508117d37b1f08ae642da270f171f83e8b2296a5e
-
SSDEEP
49152:/q3jDLMcXShsmWF73/YqYAWysjU3BFFspj2xI8g7k/Y2idB+V:0vFSmlhYAWyssBFFAGInwidC
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 7 1004 rundll32.exe 8 1004 rundll32.exe 12 1004 rundll32.exe 13 1004 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\SysWOW64\\rundll32.exe" rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe 1004 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4560 wmic.exe Token: SeSecurityPrivilege 4560 wmic.exe Token: SeTakeOwnershipPrivilege 4560 wmic.exe Token: SeLoadDriverPrivilege 4560 wmic.exe Token: SeSystemProfilePrivilege 4560 wmic.exe Token: SeSystemtimePrivilege 4560 wmic.exe Token: SeProfSingleProcessPrivilege 4560 wmic.exe Token: SeIncBasePriorityPrivilege 4560 wmic.exe Token: SeCreatePagefilePrivilege 4560 wmic.exe Token: SeBackupPrivilege 4560 wmic.exe Token: SeRestorePrivilege 4560 wmic.exe Token: SeShutdownPrivilege 4560 wmic.exe Token: SeDebugPrivilege 4560 wmic.exe Token: SeSystemEnvironmentPrivilege 4560 wmic.exe Token: SeRemoteShutdownPrivilege 4560 wmic.exe Token: SeUndockPrivilege 4560 wmic.exe Token: SeManageVolumePrivilege 4560 wmic.exe Token: 33 4560 wmic.exe Token: 34 4560 wmic.exe Token: 35 4560 wmic.exe Token: 36 4560 wmic.exe Token: SeIncreaseQuotaPrivilege 4560 wmic.exe Token: SeSecurityPrivilege 4560 wmic.exe Token: SeTakeOwnershipPrivilege 4560 wmic.exe Token: SeLoadDriverPrivilege 4560 wmic.exe Token: SeSystemProfilePrivilege 4560 wmic.exe Token: SeSystemtimePrivilege 4560 wmic.exe Token: SeProfSingleProcessPrivilege 4560 wmic.exe Token: SeIncBasePriorityPrivilege 4560 wmic.exe Token: SeCreatePagefilePrivilege 4560 wmic.exe Token: SeBackupPrivilege 4560 wmic.exe Token: SeRestorePrivilege 4560 wmic.exe Token: SeShutdownPrivilege 4560 wmic.exe Token: SeDebugPrivilege 4560 wmic.exe Token: SeSystemEnvironmentPrivilege 4560 wmic.exe Token: SeRemoteShutdownPrivilege 4560 wmic.exe Token: SeUndockPrivilege 4560 wmic.exe Token: SeManageVolumePrivilege 4560 wmic.exe Token: 33 4560 wmic.exe Token: 34 4560 wmic.exe Token: 35 4560 wmic.exe Token: 36 4560 wmic.exe Token: SeIncreaseQuotaPrivilege 1808 wmic.exe Token: SeSecurityPrivilege 1808 wmic.exe Token: SeTakeOwnershipPrivilege 1808 wmic.exe Token: SeLoadDriverPrivilege 1808 wmic.exe Token: SeSystemProfilePrivilege 1808 wmic.exe Token: SeSystemtimePrivilege 1808 wmic.exe Token: SeProfSingleProcessPrivilege 1808 wmic.exe Token: SeIncBasePriorityPrivilege 1808 wmic.exe Token: SeCreatePagefilePrivilege 1808 wmic.exe Token: SeBackupPrivilege 1808 wmic.exe Token: SeRestorePrivilege 1808 wmic.exe Token: SeShutdownPrivilege 1808 wmic.exe Token: SeDebugPrivilege 1808 wmic.exe Token: SeSystemEnvironmentPrivilege 1808 wmic.exe Token: SeRemoteShutdownPrivilege 1808 wmic.exe Token: SeUndockPrivilege 1808 wmic.exe Token: SeManageVolumePrivilege 1808 wmic.exe Token: 33 1808 wmic.exe Token: 34 1808 wmic.exe Token: 35 1808 wmic.exe Token: 36 1808 wmic.exe Token: SeIncreaseQuotaPrivilege 1808 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4284 wrote to memory of 1004 4284 rundll32.exe rundll32.exe PID 4284 wrote to memory of 1004 4284 rundll32.exe rundll32.exe PID 4284 wrote to memory of 1004 4284 rundll32.exe rundll32.exe PID 1004 wrote to memory of 4560 1004 rundll32.exe wmic.exe PID 1004 wrote to memory of 4560 1004 rundll32.exe wmic.exe PID 1004 wrote to memory of 4560 1004 rundll32.exe wmic.exe PID 1004 wrote to memory of 1808 1004 rundll32.exe wmic.exe PID 1004 wrote to memory of 1808 1004 rundll32.exe wmic.exe PID 1004 wrote to memory of 1808 1004 rundll32.exe wmic.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd1bb3e15e00395238f8f995f0f206bde69479d422c119517685fd009e951218.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd1bb3e15e00395238f8f995f0f206bde69479d422c119517685fd009e951218.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic cpu get processorid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1004-133-0x0000000075290000-0x000000007582A000-memory.dmpFilesize
5.6MB
-
memory/1004-134-0x0000000075290000-0x000000007582A000-memory.dmpFilesize
5.6MB
-
memory/1004-135-0x0000000075290000-0x000000007582A000-memory.dmpFilesize
5.6MB
-
memory/1004-136-0x0000000075290000-0x000000007582A000-memory.dmpFilesize
5.6MB
-
memory/1004-137-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-140-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-143-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-141-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-145-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-146-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-148-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-149-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-151-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-153-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-156-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-155-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-157-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-160-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-159-0x0000000010000000-0x000000001017D000-memory.dmpFilesize
1.5MB
-
memory/1004-161-0x0000000075290000-0x000000007582A000-memory.dmpFilesize
5.6MB
-
memory/1004-173-0x0000000075290000-0x000000007582A000-memory.dmpFilesize
5.6MB
-
memory/1004-174-0x0000000075290000-0x000000007582A000-memory.dmpFilesize
5.6MB