Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2023 13:29
Static task
static1
Behavioral task
behavioral1
Sample
17112023_2229_Anesthesiology__.dll
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
17112023_2229_Anesthesiology__.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
launcher.bat
Resource
win7-20231023-en
General
-
Target
launcher.bat
-
Size
85B
-
MD5
11b18328dbf6f85ca1114d86cbb2cc38
-
SHA1
49db5b4ea10b9de6582af949d3c9dcf4f1b400fc
-
SHA256
89e8bc784d49ff6dbbf1670222458fa4cf2e4bb736f18bf2d17ccc06a1c4ba21
-
SHA512
2696f155124c09db32ce58a3393bdf6144a03c3aecd4eadfbaa9f3525a1134bd513ea2e7457dd3dfb2828007578b97a54ed2f91313d57bf1dc6a2d45d6ea3cad
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2784 set thread context of 3376 2784 rundll32.exe SearchProtocolHost.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exenetstat.exepid process 3944 ipconfig.exe 1744 netstat.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SearchProtocolHost.exepid process 3376 SearchProtocolHost.exe 3376 SearchProtocolHost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
rundll32.exepid process 2784 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
whoami.exenetstat.exedescription pid process Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 4376 whoami.exe Token: SeDebugPrivilege 1744 netstat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 4996 wrote to memory of 2292 4996 cmd.exe rundll32.exe PID 4996 wrote to memory of 2292 4996 cmd.exe rundll32.exe PID 2292 wrote to memory of 2784 2292 rundll32.exe rundll32.exe PID 2292 wrote to memory of 2784 2292 rundll32.exe rundll32.exe PID 2292 wrote to memory of 2784 2292 rundll32.exe rundll32.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe PID 2784 wrote to memory of 3376 2784 rundll32.exe SearchProtocolHost.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe 17112023_2229_Anesthesiology__.dll, Throw2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe 17112023_2229_Anesthesiology__.dll, Throw3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\whoami.exewhoami.exe /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all5⤵
- Gathers network information
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -aon5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2784-0-0x00000000023C0000-0x00000000023C3000-memory.dmpFilesize
12KB
-
memory/2784-1-0x0000000010000000-0x00000000100CB000-memory.dmpFilesize
812KB
-
memory/3376-6-0x0000000000580000-0x00000000005CE000-memory.dmpFilesize
312KB
-
memory/3376-8-0x0000000000580000-0x00000000005CE000-memory.dmpFilesize
312KB
-
memory/3376-9-0x0000000000580000-0x00000000005CE000-memory.dmpFilesize
312KB
-
memory/3376-10-0x0000000000580000-0x00000000005CE000-memory.dmpFilesize
312KB
-
memory/3376-11-0x0000000000580000-0x00000000005CE000-memory.dmpFilesize
312KB
-
memory/3376-14-0x0000000000580000-0x00000000005CE000-memory.dmpFilesize
312KB