Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 02:35
Behavioral task
behavioral1
Sample
b076bcb501485446eb9cdb450e4714a6.dll
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
b076bcb501485446eb9cdb450e4714a6.dll
Resource
win10v2004-20240226-en
5 signatures
150 seconds
General
-
Target
b076bcb501485446eb9cdb450e4714a6.dll
-
Size
377KB
-
MD5
b076bcb501485446eb9cdb450e4714a6
-
SHA1
3060798a91f01f729f0a8988643d48b576a708d6
-
SHA256
c69c2902135acc0c8511418682b3d0685c5b29f9ef2312d4775f25260bfbbc0d
-
SHA512
557deac7a36f735a516dbf0825b23174031a9ccd37491c77779cd97e51d43a276130444470184fbac7dec2911701554e84c0bc88c8854827d0515235e4082a12
-
SSDEEP
6144:8sot2A39Lm4lbN+U8xApz/orIiY5+HCp+RKe5MX3Zw6Xva1Q7n6IN4JC0bvm0Llz:8stom4v+SDoctkHCURjqZw6XvayPwjmC
Score
6/10
Malware Config
Signatures
-
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS rundll32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\259394858.dat rundll32.exe File created C:\Windows\259394905.dat rundll32.exe File created C:\Windows\259394952.dat rundll32.exe File created C:\Windows\help\nishiernai.dll rundll32.exe File opened for modification C:\Windows\help\nishiernai.dll rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2964 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeRestorePrivilege 2964 rundll32.exe Token: SeBackupPrivilege 2964 rundll32.exe Token: SeRestorePrivilege 2964 rundll32.exe Token: SeBackupPrivilege 2964 rundll32.exe Token: SeRestorePrivilege 2964 rundll32.exe Token: SeBackupPrivilege 2964 rundll32.exe Token: SeRestorePrivilege 2964 rundll32.exe Token: SeBackupPrivilege 2964 rundll32.exe Token: SeRestorePrivilege 2964 rundll32.exe Token: SeBackupPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe Token: SeDebugPrivilege 2964 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2964 2904 rundll32.exe 28 PID 2904 wrote to memory of 2964 2904 rundll32.exe 28 PID 2904 wrote to memory of 2964 2904 rundll32.exe 28 PID 2904 wrote to memory of 2964 2904 rundll32.exe 28 PID 2904 wrote to memory of 2964 2904 rundll32.exe 28 PID 2904 wrote to memory of 2964 2904 rundll32.exe 28 PID 2904 wrote to memory of 2964 2904 rundll32.exe 28 PID 2964 wrote to memory of 436 2964 rundll32.exe 5
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b076bcb501485446eb9cdb450e4714a6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b076bcb501485446eb9cdb450e4714a6.dll,#12⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
-