Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 12:56
Static task
static1
Behavioral task
behavioral1
Sample
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe
Resource
win10v20210408
General
-
Target
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe
-
Size
352KB
-
MD5
dd21a3a58b5142e8a7de2ef73066f309
-
SHA1
f91f60a05764bc1739f26701c07a0486eaf94308
-
SHA256
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670
-
SHA512
9314f6ea0c08c910c05380234709d1722652725aa8178be1213753c73227d2dfc8c54aba3cd5f45890ed91665b8d4c0c733062e231047989ca8dc9e8f8b8ab80
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
dialript.exe~9D3F.tmpRdpStend.exepid process 3036 dialript.exe 740 ~9D3F.tmp 60 RdpStend.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ddodtmac = "C:\\Users\\Admin\\AppData\\Roaming\\cmstdiag\\dialript.exe" cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe -
Drops file in System32 directory 1 IoCs
Processes:
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exedescription ioc process File created C:\Windows\SysWOW64\RdpStend.exe cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3856 WINWORD.EXE 3856 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dialript.exeExplorer.EXERdpStend.exepid process 3036 dialript.exe 3036 dialript.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE 60 RdpStend.exe 60 RdpStend.exe 3048 Explorer.EXE 3048 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE 3048 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE 3048 Explorer.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE 3856 WINWORD.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exedialript.exe~9D3F.tmpdescription pid process target process PID 4656 wrote to memory of 3036 4656 cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe dialript.exe PID 4656 wrote to memory of 3036 4656 cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe dialript.exe PID 4656 wrote to memory of 3036 4656 cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe dialript.exe PID 3036 wrote to memory of 740 3036 dialript.exe ~9D3F.tmp PID 3036 wrote to memory of 740 3036 dialript.exe ~9D3F.tmp PID 740 wrote to memory of 3048 740 ~9D3F.tmp Explorer.EXE PID 4656 wrote to memory of 3856 4656 cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe WINWORD.EXE PID 4656 wrote to memory of 3856 4656 cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe WINWORD.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe"C:\Users\Admin\AppData\Local\Temp\cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cmstdiag\dialript.exe"C:\Users\Admin\AppData\Roaming\cmstdiag\dialript.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~9D3F.tmp"C:\Users\Admin\AppData\Local\Temp\~9D3F.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~9DEB.tmp.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\RdpStend.exeC:\Windows\SysWOW64\RdpStend.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~9D3F.tmpMD5
81c1a1c7a67e759cbb883aca3f7b0426
SHA1563be97aef63e41c37c0372a086014ed3ec53dc9
SHA256aa0929f50e4ba7da5751009b444e6d0e180b39a81155c0ae92c527a3e6336d9c
SHA51210b4dd13edb0091fa3a3f54129a5a352644c2434f052f177e6e31800ca6e2c17cab3b25a5749479d11861dcec93d70d590046e60690a6740782e662051a8b419
-
C:\Users\Admin\AppData\Local\Temp\~9D3F.tmpMD5
81c1a1c7a67e759cbb883aca3f7b0426
SHA1563be97aef63e41c37c0372a086014ed3ec53dc9
SHA256aa0929f50e4ba7da5751009b444e6d0e180b39a81155c0ae92c527a3e6336d9c
SHA51210b4dd13edb0091fa3a3f54129a5a352644c2434f052f177e6e31800ca6e2c17cab3b25a5749479d11861dcec93d70d590046e60690a6740782e662051a8b419
-
C:\Users\Admin\AppData\Local\Temp\~9DEB.tmp.docxMD5
fee3944c7c5bf660e2ee3ebeee861ab1
SHA10808cf02731aa1560ae53591339fee7189d29823
SHA256f0022e17f4b613886f6122fa2938c8522f639cb98a4816e0e4a913ab4805cf78
SHA5126a6977649f20489230de512c2cfc6ab96bf6cb931b0500c8b0090f0c13f3db1853eea25df4159d33c53f4ec0b3f2ee83a152846afb24ed491a8d7ff75ff823e3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msMD5
ae534ed223735f153e8772b225dbb5e3
SHA19fab1c785c156e80f18465f6768128b631afe178
SHA2562d86f33226ec866b49d62ba09c75137e0a4c2065a011689249ecd327981e8ae4
SHA5123adee164449ed8609d5c1f1159e8c58f6f1494d6daa3b75df9a51b15db23006cb5589750d5457ce52e93afeab0b3ab22c53bbcb0134df8ecbbe8a87dcf6f7844
-
C:\Users\Admin\AppData\Roaming\cmstdiag\dialript.exeMD5
6033c8215fb4f429171ceea39599c021
SHA104643c00dd57b24684dba348745ffe70020ea3f4
SHA25646fc5986b6058ecbbfa90c1732a1e95a690d2d6583094f4eb7c9c59c170ccb66
SHA51241d65b02d47a9ebeaefa50adca7b27e0f4e6809b5cfee216e0fce325e29f1083e8e1eecdf51d5ff0f9e914d0c25a4de604a00477fc68d7245e1d591d60456237
-
C:\Users\Admin\AppData\Roaming\cmstdiag\dialript.exeMD5
6033c8215fb4f429171ceea39599c021
SHA104643c00dd57b24684dba348745ffe70020ea3f4
SHA25646fc5986b6058ecbbfa90c1732a1e95a690d2d6583094f4eb7c9c59c170ccb66
SHA51241d65b02d47a9ebeaefa50adca7b27e0f4e6809b5cfee216e0fce325e29f1083e8e1eecdf51d5ff0f9e914d0c25a4de604a00477fc68d7245e1d591d60456237
-
C:\Windows\SysWOW64\RdpStend.exeMD5
dd21a3a58b5142e8a7de2ef73066f309
SHA1f91f60a05764bc1739f26701c07a0486eaf94308
SHA256cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670
SHA5129314f6ea0c08c910c05380234709d1722652725aa8178be1213753c73227d2dfc8c54aba3cd5f45890ed91665b8d4c0c733062e231047989ca8dc9e8f8b8ab80
-
C:\Windows\SysWOW64\RdpStend.exeMD5
dd21a3a58b5142e8a7de2ef73066f309
SHA1f91f60a05764bc1739f26701c07a0486eaf94308
SHA256cf2232272e2edd669ebb849270110235f87785fcd9cdf72858bccd3f45ebc670
SHA5129314f6ea0c08c910c05380234709d1722652725aa8178be1213753c73227d2dfc8c54aba3cd5f45890ed91665b8d4c0c733062e231047989ca8dc9e8f8b8ab80
-
memory/60-125-0x0000000000170000-0x00000000001DC000-memory.dmpFilesize
432KB
-
memory/740-118-0x0000000000000000-mapping.dmp
-
memory/3036-115-0x0000000000000000-mapping.dmp
-
memory/3036-123-0x0000000000F60000-0x0000000000FA0000-memory.dmpFilesize
256KB
-
memory/3048-124-0x0000000000A90000-0x0000000000AD3000-memory.dmpFilesize
268KB
-
memory/3856-129-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/3856-128-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/3856-127-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/3856-130-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/3856-132-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/3856-131-0x00007FFA592C0000-0x00007FFA5BDE3000-memory.dmpFilesize
43.1MB
-
memory/3856-135-0x00007FFA53D40000-0x00007FFA54E2E000-memory.dmpFilesize
16.9MB
-
memory/3856-136-0x00007FFA51E40000-0x00007FFA53D35000-memory.dmpFilesize
31.0MB
-
memory/3856-126-0x0000000000000000-mapping.dmp
-
memory/4656-114-0x0000000001350000-0x00000000013BC000-memory.dmpFilesize
432KB