cd8db109a908e7f18b048afc89689790afb715f6d9097eae54f80a58ce22057e

Analysis

max time kernel
152s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd8db109a908e7f18b048afc89689790afb715f6d9097eae54f80a58ce22057e.dll
Size

57KB
MD5

b3297ec417511c2a4a24e378904d273c
SHA1

6a7caedc65bd2877f6823562700821d07294b2d7
SHA256

cd8db109a908e7f18b048afc89689790afb715f6d9097eae54f80a58ce22057e
SHA512

2f30750971538ab518a58359f23f4133cca28991635f36064eb36c167c05ac993bd9489b7fce71bc85450e56c971c1ce7b5699acb79cd9e60844dd0acc7ed3d5

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompleteBlock.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\StartResolve.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\WatchStart.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ApproveHide.tif => C:\Users\Admin\Pictures\ApproveHide.tif.0ad26d	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianLetter.Dotx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CAGCAT10.MML	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\0AD26D-Readme.txt	rundll32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\0AD26D-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\manifest.json	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00531L.GIF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18205_.WMF	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVTEL.DIC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00673L.GIF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\calendars.properties	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msolui100.rll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00780L.GIF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\0AD26D-Readme.txt	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\0AD26D-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZFORM.DPV	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\0AD26D-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205466.WMF	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF	rundll32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\0AD26D-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files\EnterFind.vsdx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\rt.jar	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\0AD26D-Readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\classes.jsa	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2B.BDR	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	rundll32.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar	rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	rundll32.exe
Token: SeImpersonatePrivilege	1660	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1660	1672	rundll32.exe	27
PID 1672 wrote to memory of 1660	1672	rundll32.exe	27
PID 1672 wrote to memory of 1660	1672	rundll32.exe	27
PID 1672 wrote to memory of 1660	1672	rundll32.exe	27
PID 1672 wrote to memory of 1660	1672	rundll32.exe	27
PID 1672 wrote to memory of 1660	1672	rundll32.exe	27
PID 1672 wrote to memory of 1660	1672	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd8db109a908e7f18b048afc89689790afb715f6d9097eae54f80a58ce22057e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd8db109a908e7f18b048afc89689790afb715f6d9097eae54f80a58ce22057e.dll,#1
  2⤵
  - Modifies extensions of user files
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download