Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 10:53
Behavioral task
behavioral1
Sample
61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll
Resource
win10-en-20211208
General
-
Target
61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll
-
Size
124KB
-
MD5
6c69bc006e9006849d4041f93806fb96
-
SHA1
57c70a4a5dea8e77cd4c412f8a6c997872a1a379
-
SHA256
61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9
-
SHA512
b8c5e2ba08b676b34de2d3e9d1fa09fcabfc7189c3261cde4f035389a297b78f40fcc64a002d09af606e349281e9be340b53ba93f321dee92a341f30d6396bad
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 10 1256 rundll32.exe 25 1256 rundll32.exe 28 1256 rundll32.exe 29 1256 rundll32.exe 30 1256 rundll32.exe 33 1256 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Gykkwrbr\qmhsiix.tba rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
rundll32.exepid process 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2764 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 3048 wrote to memory of 2764 3048 rundll32.exe rundll32.exe PID 3048 wrote to memory of 2764 3048 rundll32.exe rundll32.exe PID 3048 wrote to memory of 2764 3048 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2788 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2788 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2788 2764 rundll32.exe rundll32.exe PID 2788 wrote to memory of 1256 2788 rundll32.exe rundll32.exe PID 2788 wrote to memory of 1256 2788 rundll32.exe rundll32.exe PID 2788 wrote to memory of 1256 2788 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61a47ebee921db8a16a8f070edcb86b5efd47a8d185bf4691b57e76f697981f9.bin.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gykkwrbr\qmhsiix.tba",khTAljoZkMLTjn3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Gykkwrbr\qmhsiix.tba",#14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses