Overview

overview

10

Static

static

10

61a47ebee9...in.dll

windows7_x64

8

61a47ebee9...in.dll

windows10_x64

8

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    09-12-2021 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll

  • Size

    124KB

  • MD5

    6c69bc006e9006849d4041f93806fb96

  • SHA1

    57c70a4a5dea8e77cd4c412f8a6c997872a1a379

  • SHA256

    61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9

  • SHA512

    b8c5e2ba08b676b34de2d3e9d1fa09fcabfc7189c3261cde4f035389a297b78f40fcc64a002d09af606e349281e9be340b53ba93f321dee92a341f30d6396bad

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gykkwrbr\qmhsiix.tba",khTAljoZkMLTjn
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gykkwrbr\qmhsiix.tba",#1
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1256-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2764-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2788-116-0x0000000000000000-mapping.dmp
    Download