Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-05-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
f587adbd_by_Libranalysis.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
f587adbd_by_Libranalysis.dll
Resource
win10v20210408
General
-
Target
f587adbd_by_Libranalysis.dll
-
Size
54KB
-
MD5
f587adbd83ff3f4d2985453cd45c7ab1
-
SHA1
2715340f82426f840cf7e460f53a36fc3aad52aa
-
SHA256
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
-
SHA512
37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe
Malware Config
Extracted
C:\\README.949640ab.TXT
darkside
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Blocklisted process makes network request 12 IoCs
Processes:
rundll32.exeflow pid process 16 1740 rundll32.exe 17 1740 rundll32.exe 18 1740 rundll32.exe 19 1740 rundll32.exe 20 1740 rundll32.exe 21 1740 rundll32.exe 22 1740 rundll32.exe 23 1740 rundll32.exe 24 1740 rundll32.exe 25 1740 rundll32.exe 26 1740 rundll32.exe 27 1740 rundll32.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\PushDebug.tif.949640ab rundll32.exe File opened for modification C:\Users\Admin\Pictures\RepairProtect.png.949640ab rundll32.exe -
Drops startup file 2 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.949640ab.TXT rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.949640ab.TXT rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\949640ab.BMP" rundll32.exe -
Modifies Control Panel 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" rundll32.exe -
Modifies data under HKEY_USERS 58 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = cf6fc966789377e764853b21b2558c4195e7de76a623589734942c28b498892c rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 7069cdcf7b45d701 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 4d1e92c70cac928a0f25662d19665f42e0e10d4f90012c844c714332d1311ae3 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\949640ab.BMP" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 00070000b06f69cf7b45d701 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6790d1ff177824568bca52d8ff13642c805bbf9ac9408f62fca51d7a4924a2ae rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f799808e1125233405c96a52f575f6668c10c9f6cd658658ddf75c1fdd85f350 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = bc70ef0e97e2824697202e3a96cb68b31394f017ec65077325f9d705b6b20b7b rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f0537ab444827474b073d5f1ce95b308dbe8d862caa9abfc85099b2b104de7cb rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d5ea0c8efe62cdce10be4c3632a3312305d75a22a9071ed625e4bc90c395c2d9 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = bfd09991adab41d88310e73fb0f03acf6461b6b8c03fb53be1c5a400a3d33967 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e53cc6107bdb21ef6f2308ab0ca5d5edb3303c8a7ea5ff87b3144e25e3bdb07f rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1d616c01f4c97086d2005683590af9a9acb7e6bb42bcbabf7a24478fab53d418 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 7069cdcf7b45d701 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c38417f2acec96a2404ee99b65dc8240746d93178951c30c259c4196c423197f rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = f4f6caafbbe9147d9ac6b6465b1729bf9b06d014a597c291fffc91ba2fdc8e63 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c91d1fbd9df5444c2badcb22b2061886a248fa9c9b99eddbc2dfaccf1e3aab46 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2319a89412d127ae7a339bab604151f840bf4ba09429cbfb7a450b4d88027b8c rundll32.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d4422f4fb94e4e4750e6b20b8cf36bb00c18d3f62078326bbba7e8d46282bcd9 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = bf65e0d024c355c05f59124a345e87861ec297c874a4806f092261dae110721d rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab\ = "949640ab" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon\ = "C:\\ProgramData\\949640ab.ico" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
rundll32.exerundll32.exepid process 1740 rundll32.exe 1740 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe 1792 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 896 vssvc.exe Token: SeRestorePrivilege 896 vssvc.exe Token: SeAuditPrivilege 896 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 368 wrote to memory of 1392 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 1392 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 1392 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 1392 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 1392 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 1392 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 1392 368 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2032 2040 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1740 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1740 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1740 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1740 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1740 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1740 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 1740 2032 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1792 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1792 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1792 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1792 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1792 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1792 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1792 1740 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#12⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#13⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#3 worker0 job0-17404⤵
- Modifies extensions of user files
- Drops startup file
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1392-59-0x0000000000000000-mapping.dmp
-
memory/1392-60-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/1740-63-0x0000000000000000-mapping.dmp
-
memory/1792-65-0x0000000000000000-mapping.dmp
-
memory/2032-61-0x0000000000000000-mapping.dmp