Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
24-11-2024 20:40
Static task
static1
Behavioral task
behavioral1
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
myguy.hta
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral6
Sample
svchost.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
027cc450ef5f8c5f653329641ec1fed9.dll
-
Size
353KB
-
MD5
71b6a493388e7d0b40c83ce903bc6b04
-
SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
-
SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
-
SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
SSDEEP
6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0029000000045067-14.dat mimikatz -
Deletes itself 1 IoCs
pid Process 3116 rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 552 95C8.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in Program Files directory 31 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jni.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jawt.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg rundll32.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX rundll32.exe File opened for modification C:\Program Files\SearchUnblock.docx rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\classfile_constants.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip rundll32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG rundll32.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmti.h rundll32.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\027cc450ef5f8c5f653329641ec1fed9 rundll32.exe File created C:\Windows\dllhost.dat rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3116 rundll32.exe 3116 rundll32.exe 552 95C8.tmp 552 95C8.tmp 552 95C8.tmp 552 95C8.tmp 552 95C8.tmp 552 95C8.tmp -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3116 rundll32.exe Token: SeDebugPrivilege 3116 rundll32.exe Token: SeTcbPrivilege 3116 rundll32.exe Token: SeDebugPrivilege 552 95C8.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1604 wrote to memory of 3116 1604 rundll32.exe 81 PID 1604 wrote to memory of 3116 1604 rundll32.exe 81 PID 1604 wrote to memory of 3116 1604 rundll32.exe 81 PID 3116 wrote to memory of 1084 3116 rundll32.exe 82 PID 3116 wrote to memory of 1084 3116 rundll32.exe 82 PID 3116 wrote to memory of 1084 3116 rundll32.exe 82 PID 3116 wrote to memory of 552 3116 rundll32.exe 83 PID 3116 wrote to memory of 552 3116 rundll32.exe 83 PID 1084 wrote to memory of 3520 1084 cmd.exe 86 PID 1084 wrote to memory of 3520 1084 cmd.exe 86 PID 1084 wrote to memory of 3520 1084 cmd.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\027cc450ef5f8c5f653329641ec1fed9.dll,#12⤵
- Deletes itself
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 21:443⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 21:444⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3520
-
-
-
C:\Users\Admin\AppData\Local\Temp\95C8.tmp"C:\Users\Admin\AppData\Local\Temp\95C8.tmp" \\.\pipe\{C7570043-6060-44B6-92BC-A3BEC8871988}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD57e37ab34ecdcc3e77e24522ddfd4852d
SHA138e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA25602ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA5121b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587