Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_849c748f9a37d4125779f6b31435d220.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
VirusShare_849c748f9a37d4125779f6b31435d220.dll
Resource
win10v2004-20231215-en
General
-
Target
VirusShare_849c748f9a37d4125779f6b31435d220.dll
-
Size
156KB
-
MD5
849c748f9a37d4125779f6b31435d220
-
SHA1
ab26f79f3726b2a066f73f2711d8362486ff93ce
-
SHA256
a7d1e0426d5ec9205c571cbafa558475f0a8fb701500a1353fd8fd5ad5a91c89
-
SHA512
131d7c664211b581d061005ad6686e4dd2191727ced66b371dbc34895f2f426bc57d93c97da2ed39bd47b00154c96827d7d4868001a62e7f1027d0aea621468c
-
SSDEEP
3072:NLkD7BY9kS2O0to3IzwtVgHtWt8PgIJY7Ctp:NLS7BCk1tWIiV0Wq3JY7C
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 13 IoCs
resource yara_rule behavioral1/memory/1104-0-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1104-3-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1104-4-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-10-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-28-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1104-27-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-39-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-56-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-151-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-183-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-194-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-211-0x000000000B000000-0x000000000B031000-memory.dmp UPX behavioral1/memory/1664-247-0x000000000B000000-0x000000000B031000-memory.dmp UPX -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 1664 rundll32.exe 3 1664 rundll32.exe 4 1664 rundll32.exe 5 1664 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 1664 rundll32.exe -
resource yara_rule behavioral1/memory/1104-0-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1104-3-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1104-4-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-10-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-28-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1104-27-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-39-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-56-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-151-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-183-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-194-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-211-0x000000000B000000-0x000000000B031000-memory.dmp upx behavioral1/memory/1664-247-0x000000000B000000-0x000000000B031000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\PROGRA~3\ggdvtnb.cpp rundll32.exe File created C:\PROGRA~3\bntvdgg.fee rundll32.exe File opened for modification C:\PROGRA~3\bntvdgg.fee rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1072 wrote to memory of 1104 1072 rundll32.exe 28 PID 1072 wrote to memory of 1104 1072 rundll32.exe 28 PID 1072 wrote to memory of 1104 1072 rundll32.exe 28 PID 1072 wrote to memory of 1104 1072 rundll32.exe 28 PID 1072 wrote to memory of 1104 1072 rundll32.exe 28 PID 1072 wrote to memory of 1104 1072 rundll32.exe 28 PID 1072 wrote to memory of 1104 1072 rundll32.exe 28 PID 1104 wrote to memory of 1664 1104 rundll32.exe 29 PID 1104 wrote to memory of 1664 1104 rundll32.exe 29 PID 1104 wrote to memory of 1664 1104 rundll32.exe 29 PID 1104 wrote to memory of 1664 1104 rundll32.exe 29 PID 1104 wrote to memory of 1664 1104 rundll32.exe 29 PID 1104 wrote to memory of 1664 1104 rundll32.exe 29 PID 1104 wrote to memory of 1664 1104 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_849c748f9a37d4125779f6b31435d220.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_849c748f9a37d4125779f6b31435d220.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\PROGRA~3\ggdvtnb.cpp,XXS13⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
PID:1664
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5901f48ef078bc4b200b5e50ecae97049
SHA1b807014d28479c1c6bd25b3cae2906587e97bcd9
SHA25666b6854ce91c301150da8a1347705d640d37ccb56ee5ac1a5d86c61683658eef
SHA5124fb76f0a505953bdda29e6c4e00a874f6239b86141a2a6daa467bdf1cfd1274af600a2027babc540b212540ec27a6f8c0616b7e1dc0b864ef0d24901b3fce06e
-
Filesize
156KB
MD5849c748f9a37d4125779f6b31435d220
SHA1ab26f79f3726b2a066f73f2711d8362486ff93ce
SHA256a7d1e0426d5ec9205c571cbafa558475f0a8fb701500a1353fd8fd5ad5a91c89
SHA512131d7c664211b581d061005ad6686e4dd2191727ced66b371dbc34895f2f426bc57d93c97da2ed39bd47b00154c96827d7d4868001a62e7f1027d0aea621468c