Analysis
-
max time kernel
14s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-05-2021 10:20
Static task
static1
Behavioral task
behavioral1
Sample
f587adbd_by_Libranalysis.dll
Resource
win7v20210408
General
-
Target
f587adbd_by_Libranalysis.dll
-
Size
54KB
-
MD5
f587adbd83ff3f4d2985453cd45c7ab1
-
SHA1
2715340f82426f840cf7e460f53a36fc3aad52aa
-
SHA256
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
-
SHA512
37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe
Malware Config
Extracted
C:\\README.53411c86.TXT
darkside
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Blocklisted process makes network request 12 IoCs
Processes:
rundll32.exeflow pid process 6 980 rundll32.exe 7 980 rundll32.exe 8 980 rundll32.exe 9 980 rundll32.exe 10 980 rundll32.exe 11 980 rundll32.exe 12 980 rundll32.exe 13 980 rundll32.exe 14 980 rundll32.exe 15 980 rundll32.exe 16 980 rundll32.exe 17 980 rundll32.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CopyInvoke.png.53411c86 rundll32.exe File opened for modification C:\Users\Admin\Pictures\DebugExport.tif.53411c86 rundll32.exe File opened for modification C:\Users\Admin\Pictures\SaveUnlock.raw.53411c86 rundll32.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromBackup.png.53411c86 rundll32.exe -
Drops startup file 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.53411c86.TXT rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.53411c86.TXT rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\53411c86.BMP" rundll32.exe -
Modifies Control Panel 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop rundll32.exe -
Modifies data under HKEY_USERS 58 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f06b33528578a1f1f89449bff741c1b8e1bdee50c335cd84bd2e03ee94da5d4b rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 6e381e7a392ee223d8da8a74b08bc74fc32968040588c1ab3d77e6608c466f4e rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 163dc193cdb72748febf07984d69e6e425454bac901bd95b2338d0cab870f4c0 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 6f3ec72fb19f42771d18107f81ec0e7c4413352090492c25b584225f6ed06705 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = a072d0689645d701 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = ecaed9878474dfd8da48fc4359c6fe0bde753bf06d9369afbf478762f5ddbc3a rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 818ecc2e32a9c9d08ffa1ff7e73beea90a9642a6cc3649f352cb8f30129de4e6 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\53411c86.BMP" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = d824dacad8c54c7c42aa0ebcdb91e0afb4e55a0e06735e7cbd5d99d3da68747c rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 237f78b1401f86a9848fba811da2e9c8cce11d8791ef7159d8d00cf6dc1d6aac rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 98060000004291699645d701 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 48148ed64638af5a5fdc3970743304e8a9ad2110a62ec831dcacd084d698ef50 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 227edab10558955887b11fc7675b4f8eaf41b0d455d64a6ac98165e50ac74257 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 6edf65cde450207db86c362833fe258220f8cda71df2eb06ae0874ba3b61454f rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = cdcb51054ad9e97e47e321fb0c9187f3741e3cfca96ebf34e444a3e946c76039 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7} rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = a072d0689645d701 rundll32.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = d6a22b34030f10a37b0e4cf0b4b479b0d242abc8f9d2c02c6f5f2ca17c56dc67 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 9fb4c9ab250b6feca9257f734a052bea7d46a16d21d5b26e64fc94abbbad45b6 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 85e4bd8e27f04adc110022092ff6f1858e2e9f1f3cf50ebeaee3d1b0f5003cb9 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e50a93a37f6cc2d05f1d00fc7aeb9ab2f6947f0526414989e3dd90d0774d36ae rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\32-e2-17-db-d2-77 rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.53411c86 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.53411c86\ = "53411c86" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86\DefaultIcon\ = "C:\\ProgramData\\53411c86.ico" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
rundll32.exerundll32.exepid process 980 rundll32.exe 980 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe 1688 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 840 vssvc.exe Token: SeRestorePrivilege 840 vssvc.exe Token: SeAuditPrivilege 840 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 1848 wrote to memory of 2008 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 2008 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 2008 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 2008 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 2008 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 2008 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 2008 1848 rundll32.exe rundll32.exe PID 776 wrote to memory of 780 776 rundll32.exe rundll32.exe PID 776 wrote to memory of 780 776 rundll32.exe rundll32.exe PID 776 wrote to memory of 780 776 rundll32.exe rundll32.exe PID 776 wrote to memory of 780 776 rundll32.exe rundll32.exe PID 776 wrote to memory of 780 776 rundll32.exe rundll32.exe PID 776 wrote to memory of 780 776 rundll32.exe rundll32.exe PID 776 wrote to memory of 780 776 rundll32.exe rundll32.exe PID 780 wrote to memory of 980 780 rundll32.exe rundll32.exe PID 780 wrote to memory of 980 780 rundll32.exe rundll32.exe PID 780 wrote to memory of 980 780 rundll32.exe rundll32.exe PID 780 wrote to memory of 980 780 rundll32.exe rundll32.exe PID 780 wrote to memory of 980 780 rundll32.exe rundll32.exe PID 780 wrote to memory of 980 780 rundll32.exe rundll32.exe PID 780 wrote to memory of 980 780 rundll32.exe rundll32.exe PID 980 wrote to memory of 1688 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1688 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1688 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1688 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1688 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1688 980 rundll32.exe rundll32.exe PID 980 wrote to memory of 1688 980 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#12⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#13⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#3 worker0 job0-9804⤵
- Modifies extensions of user files
- Drops startup file
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-61-0x0000000000000000-mapping.dmp
-
memory/980-63-0x0000000000000000-mapping.dmp
-
memory/1688-65-0x0000000000000000-mapping.dmp
-
memory/2008-59-0x0000000000000000-mapping.dmp
-
memory/2008-60-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB