b1f1237f3bf5667bf62719cf9fd741263e1cf7a61ff92741dc6dcb801cd35378

General

Target

rDHL_AWB6078538091.exe
Size

637KB
MD5

ac7369be431a46342ea797c8bee58a0c
SHA1

b9da55749cb12d38a1af153e6dc773e016b7d55f
SHA256

b1f1237f3bf5667bf62719cf9fd741263e1cf7a61ff92741dc6dcb801cd35378
SHA512

25f6cfd8ef3a1463ae5b9918fb364aee18b924641537d354ae20cbe43928a84665dbd73fd2408f0c85bec3f433de7b98217b7be18a2dc1031b7c895aaffc7090
SSDEEP

12288:20ceOufcwI2OYVUbKE5UXMWXIGCjrILDSnEYPLxKOTWmBjfSrOHMzN:200mhhOxbK650LDSnEYPXnqaHM

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 2652	2804	rDHL_AWB6078538091.exe	28
PID 2652 set thread context of 1248	2652	rDHL_AWB6078538091.exe	19
PID 2652 set thread context of 588	2652	rDHL_AWB6078538091.exe	31
PID 588 set thread context of 1248	588	dvdplay.exe	19

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2804	rDHL_AWB6078538091.exe
2804	rDHL_AWB6078538091.exe
2804	rDHL_AWB6078538091.exe
2804	rDHL_AWB6078538091.exe
2804	rDHL_AWB6078538091.exe
2804	rDHL_AWB6078538091.exe
2804	rDHL_AWB6078538091.exe
2652	rDHL_AWB6078538091.exe
2652	rDHL_AWB6078538091.exe
2652	rDHL_AWB6078538091.exe
2652	rDHL_AWB6078538091.exe
2652	rDHL_AWB6078538091.exe
2652	rDHL_AWB6078538091.exe
2652	rDHL_AWB6078538091.exe
2652	rDHL_AWB6078538091.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe
588	dvdplay.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2652	rDHL_AWB6078538091.exe
1248	Explorer.EXE
1248	Explorer.EXE
588	dvdplay.exe
588	dvdplay.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	rDHL_AWB6078538091.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2652	2804	rDHL_AWB6078538091.exe	28
PID 2804 wrote to memory of 2652	2804	rDHL_AWB6078538091.exe	28
PID 2804 wrote to memory of 2652	2804	rDHL_AWB6078538091.exe	28
PID 2804 wrote to memory of 2652	2804	rDHL_AWB6078538091.exe	28
PID 2804 wrote to memory of 2652	2804	rDHL_AWB6078538091.exe	28
PID 2804 wrote to memory of 2652	2804	rDHL_AWB6078538091.exe	28
PID 2804 wrote to memory of 2652	2804	rDHL_AWB6078538091.exe	28
PID 1248 wrote to memory of 588	1248	Explorer.EXE	31
PID 1248 wrote to memory of 588	1248	Explorer.EXE	31
PID 1248 wrote to memory of 588	1248	Explorer.EXE	31
PID 1248 wrote to memory of 588	1248	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\rDHL_AWB6078538091.exe
  "C:\Users\Admin\AppData\Local\Temp\rDHL_AWB6078538091.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\rDHL_AWB6078538091.exe
    "C:\Users\Admin\AppData\Local\Temp\rDHL_AWB6078538091.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2652
- C:\Windows\SysWOW64\dvdplay.exe
  "C:\Windows\SysWOW64\dvdplay.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-31-0x0000000000680000-0x0000000000722000-memory.dmp

Filesize
648KB

Download
memory/588-30-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/588-29-0x0000000000680000-0x0000000000722000-memory.dmp

Filesize
648KB

Download
memory/588-28-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/588-27-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/588-24-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/588-23-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1248-22-0x0000000004C80000-0x0000000004D80000-memory.dmp

Filesize
1024KB

Download
memory/2652-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-21-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/2652-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-26-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/2652-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-25-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-17-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/2652-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-0-0x0000000001060000-0x0000000001106000-memory.dmp

Filesize
664KB

Download
memory/2804-6-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-16-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-14-0x0000000005000000-0x0000000005040000-memory.dmp

Filesize
256KB

Download
memory/2804-5-0x0000000004F50000-0x0000000004FD8000-memory.dmp

Filesize
544KB

Download
memory/2804-4-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/2804-3-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2804-2-0x0000000005000000-0x0000000005040000-memory.dmp

Filesize
256KB

Download
memory/2804-1-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing