Analysis
-
max time kernel
132s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:51
Static task
static1
Behavioral task
behavioral1
Sample
dff5690cd1a3474c6cac9dcf8efacdaf51a6be992e70029e21dcacd89cc71f05.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
dff5690cd1a3474c6cac9dcf8efacdaf51a6be992e70029e21dcacd89cc71f05.dll
Resource
win10-en-20211208
General
-
Target
dff5690cd1a3474c6cac9dcf8efacdaf51a6be992e70029e21dcacd89cc71f05.dll
-
Size
78KB
-
MD5
9c3784b44183e575037fdb131355b2f6
-
SHA1
8b85ce577902376ebab9a4e3839da030077fd65c
-
SHA256
dff5690cd1a3474c6cac9dcf8efacdaf51a6be992e70029e21dcacd89cc71f05
-
SHA512
db20b54bd34ebb3abf6640c773ada4e14a187552aaaac2fddcde3ad64598d7221054db56ea145fba6e123d21e281d33573e1f9b2035ebe60014e7ae5164c2e9d
Malware Config
Extracted
C:\7c14u939-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D84152300BC3497B
Signatures
-
Modifies extensions of user files 17 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File renamed C:\Users\Admin\Pictures\WaitConnect.raw => \??\c:\users\admin\pictures\WaitConnect.raw.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\ExpandRegister.tiff => \??\c:\users\admin\pictures\ExpandRegister.tiff.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\FormatDebug.raw => \??\c:\users\admin\pictures\FormatDebug.raw.7c14u939 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\MoveUse.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\NewMove.png => \??\c:\users\admin\pictures\NewMove.png.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\RemovePublish.crw => \??\c:\users\admin\pictures\RemovePublish.crw.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\RepairUnlock.tif => \??\c:\users\admin\pictures\RepairUnlock.tif.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\RestoreConfirm.tiff => \??\c:\users\admin\pictures\RestoreConfirm.tiff.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\LimitGroup.crw => \??\c:\users\admin\pictures\LimitGroup.crw.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\MeasureProtect.raw => \??\c:\users\admin\pictures\MeasureProtect.raw.7c14u939 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\MergeBlock.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\PingUse.png => \??\c:\users\admin\pictures\PingUse.png.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\CompletePublish.png => \??\c:\users\admin\pictures\CompletePublish.png.7c14u939 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\ExpandRegister.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\MergeBlock.tiff => \??\c:\users\admin\pictures\MergeBlock.tiff.7c14u939 regsvr32.exe File renamed C:\Users\Admin\Pictures\MoveUse.tiff => \??\c:\users\admin\pictures\MoveUse.tiff.7c14u939 regsvr32.exe File opened for modification \??\c:\users\admin\pictures\RestoreConfirm.tiff regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lc77w72lx.bmp" regsvr32.exe -
Drops file in Program Files directory 13 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\UpdateUse.eps regsvr32.exe File opened for modification \??\c:\program files\CheckpointSend.xltm regsvr32.exe File opened for modification \??\c:\program files\CompareWatch.ini regsvr32.exe File opened for modification \??\c:\program files\CloseUpdate.ps1xml regsvr32.exe File opened for modification \??\c:\program files\FindConvertFrom.clr regsvr32.exe File opened for modification \??\c:\program files\FormatUnprotect.contact regsvr32.exe File opened for modification \??\c:\program files\GroupConvertTo.jpeg regsvr32.exe File opened for modification \??\c:\program files\InstallFormat.mpg regsvr32.exe File opened for modification \??\c:\program files\RenameSend.mpeg regsvr32.exe File created \??\c:\program files\7c14u939-readme.txt regsvr32.exe File created \??\c:\program files (x86)\7c14u939-readme.txt regsvr32.exe File opened for modification \??\c:\program files\SwitchStep.txt regsvr32.exe File opened for modification \??\c:\program files\UnpublishFind.asx regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 3040 regsvr32.exe 3040 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
regsvr32.exevssvc.exevssvc.exedescription pid process Token: SeDebugPrivilege 3040 regsvr32.exe Token: SeTakeOwnershipPrivilege 3040 regsvr32.exe Token: SeBackupPrivilege 3880 vssvc.exe Token: SeRestorePrivilege 3880 vssvc.exe Token: SeAuditPrivilege 3880 vssvc.exe Token: SeBackupPrivilege 928 vssvc.exe Token: SeRestorePrivilege 928 vssvc.exe Token: SeAuditPrivilege 928 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2728 wrote to memory of 3040 2728 regsvr32.exe regsvr32.exe PID 2728 wrote to memory of 3040 2728 regsvr32.exe regsvr32.exe PID 2728 wrote to memory of 3040 2728 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\dff5690cd1a3474c6cac9dcf8efacdaf51a6be992e70029e21dcacd89cc71f05.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\dff5690cd1a3474c6cac9dcf8efacdaf51a6be992e70029e21dcacd89cc71f05.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1364
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928