Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-12-2021 10:53
Behavioral task
behavioral1
Sample
61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll
Resource
win10-en-20211208
General
-
Target
61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll
-
Size
124KB
-
MD5
6c69bc006e9006849d4041f93806fb96
-
SHA1
57c70a4a5dea8e77cd4c412f8a6c997872a1a379
-
SHA256
61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9
-
SHA512
b8c5e2ba08b676b34de2d3e9d1fa09fcabfc7189c3261cde4f035389a297b78f40fcc64a002d09af606e349281e9be340b53ba93f321dee92a341f30d6396bad
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 4 320 rundll32.exe 5 320 rundll32.exe 6 320 rundll32.exe 7 320 rundll32.exe 8 320 rundll32.exe 9 320 rundll32.exe 11 320 rundll32.exe 12 320 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Xyiqiwtdwg\bfxbvwaeb.bdx rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exepid process 320 rundll32.exe 320 rundll32.exe 320 rundll32.exe 320 rundll32.exe 320 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 1260 rundll32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 1396 wrote to memory of 1260 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 1260 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 1260 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 1260 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 1260 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 1260 1396 rundll32.exe rundll32.exe PID 1396 wrote to memory of 1260 1396 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1120 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1120 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1120 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1120 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1120 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1120 1260 rundll32.exe rundll32.exe PID 1260 wrote to memory of 1120 1260 rundll32.exe rundll32.exe PID 1120 wrote to memory of 320 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 320 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 320 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 320 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 320 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 320 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 320 1120 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xyiqiwtdwg\bfxbvwaeb.bdx",KotddijWaHD3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xyiqiwtdwg\bfxbvwaeb.bdx",#14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses