Overview

overview

8

Static

static

texi64.dll

windows7_x64

8

texi64.dll

windows10-2004_x64

8

Analysis

  • max time kernel
    136s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-05-2022 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    texi64.dll

  • Size

    280KB

  • MD5

    f2b8daf9be5866844bb5f1a860d4433f

  • SHA1

    6097602f35245926bdcbffcd86ef6f67b2af7bd8

  • SHA256

    e4756dc21114c9de523af307992382dfd0fc0cf7ccf19d5351998c498561ca20

  • SHA512

    b26d90b64bea4b7177d83498efb58d42902e4cc76e9386fd6be6040a5b17d28ed1093b769a4728cfa1e0fdb756c8238a1b8914379b161bf8d6b1f51324a4b73a

Score
8/10
ransomware

Malware Config

Signatures

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\texi64.dll,#1
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C7E83.bat" """
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\system32\attrib.exe
        attrib -s -r -h ""
        3⤵
        • Views/modifies file attributes
        PID:980
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:308
  • C:\Windows\explorer.exe
    "explorer.exe" README_TO_DECRYPT.html
    1⤵
      PID:1308
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1180
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1752
    • C:\Windows\explorer.exe
      "explorer.exe" README_TO_DECRYPT.html
      1⤵
        PID:1628
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:275457 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:548
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ResetConnect.dotm.quantum
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1080
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResetConnect.dotm.quantum
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:1668
      • C:\Windows\explorer.exe
        "explorer.exe" README_TO_DECRYPT.html
        1⤵
          PID:780
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:275457 /prefetch:2
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1596

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Hidden Files and Directories

        1
        T1158

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Hidden Files and Directories

        1
        T1158

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{04BA1D41-CD5F-11EC-A484-C2F2D41BD72F}.dat
          Filesize

          5KB

          MD5

          84e188bbf5ee5c39c133d3d018dbb52b

          SHA1

          a647f25c221dd86a579f20588c3bedcf21074cca

          SHA256

          5ddf5ecbf72e7e7d9b740ea39379dc9d1b42f54e5e21d90cd16f5b84dba42b90

          SHA512

          1ad9692c4d29a090e50bc672a70b4003371014dad2ede378feaf34e1c699d9dd3ad18f51f3f7d14dbef0edd621a84a6bd2e3b1237a39ec484e199e1a7403388c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{07E10F61-CD5F-11EC-A484-C2F2D41BD72F}.dat
          Filesize

          5KB

          MD5

          ac7d5b022df9bcc0fe43737bc119a84b

          SHA1

          8c85c86e0c67e2e5bd239750407a820e523b6f2b

          SHA256

          b3ac1c023942aa0d6d446971f6b0319c23b307fcf7ebe3e6729c685fbd0e6fcb

          SHA512

          520db7d116a6ac4edfd93a3aedefc58140c7d5c80160a621a5e1e86c26555aa083ecda2f2d7c6b67cd6e58a2381e74e6140adb6fdab3687161147d901de9b84f

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F7755321-CD5E-11EC-A484-C2F2D41BD72F}.dat
          Filesize

          5KB

          MD5

          6fce3b4b77f9869389440d253a63f5f1

          SHA1

          f394a007d9027f5c9acc4d99cac42dba94372327

          SHA256

          8957d71d85074a535ccfd8e5714f83e7ff916a73594d4c2474c91ea7c386dd66

          SHA512

          125708584134de853edeb6902bef62b0a774222c44ac7b276e6e8cebde624d1bcdf09680774481e6c1ec281fd8e69b918cc4a128852f1040a0c8038f6a6ebdfe

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{0F810AD0-BC30-11EC-BA3F-F2122C6314CC}.dat
          Filesize

          5KB

          MD5

          c5580a0ffba27df72f7fea2ee1a5c04e

          SHA1

          d8ab61a4c8433e9bfc60ea28ef2a3376140cdddc

          SHA256

          fc970e3e406857161e28c454e962c6a145ce4d0d008b24fca01c39dc54fb2f1f

          SHA512

          77e568e1b43dbed6da1fdaa41509f507c8f20cc227aa793bc64b1a5742f9fbeff343c2e56b28135cddad790b0e68a41c9f4b097dab106f1a2fe3680795634231

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{0F810AD0-BC30-11EC-BA3F-F2122C6314CC}.dat
          Filesize

          6KB

          MD5

          43f635e94f74d0dc5c1a1caff5ed6320

          SHA1

          042e163e51716f4aa352a5fd5d841c5caa8096df

          SHA256

          0fa2cc9ee197c49669aaa3e0b5827f443514ec64e510ddb7336da698a2826ead

          SHA512

          8d63114673c0886d8583cd500dc4762856f0f3cf5da4fa616648aa5b97e0e9c6a9353f5f83147dfe231777691ce46bb5370155d8272355b8825752b331e62cbd

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{0F810AD0-BC30-11EC-BA3F-F2122C6314CC}.dat
          Filesize

          7KB

          MD5

          9a111b78a0b7fcfcdd70afdcf9e951ed

          SHA1

          13b94455c2c9865a0c6ecb8aca10335115a3d9eb

          SHA256

          43134f64b1a389482f20a62df1cc036e226994fe9a28eb6207d907ab904fc697

          SHA512

          4cbf88961a09fae4f5661aa2cb23c4619a9852830768932956f0accd15498c2eaaa1b98b169c593368fa7fbbb52ef9e5b71e61bbe3422950e8e698a70c0bd8e9

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{04BA1D44-CD5F-11EC-A484-C2F2D41BD72F}.dat
          Filesize

          4KB

          MD5

          1733fc8d01eb7c8e1b2bf226485f2a1e

          SHA1

          0cd8af110fac4f905d79a9b11507e12f8d5b35e8

          SHA256

          07954a855bc7a4fa1f6c921d20bd20049a09e53910e082df230f0d9c5fd8bb6c

          SHA512

          5316d1db3fac9d0859144c8746bef6aed0048893569af83345e229841da46a62235554edad14690a7beade4ca1dd7bbe8f04a35059e3d4b9cb6ec7a1a546dac9

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{07E10F64-CD5F-11EC-A484-C2F2D41BD72F}.dat
          Filesize

          4KB

          MD5

          131f88139e07f290a8f4d5c5ca6827d4

          SHA1

          fb36f97469145231e686b81e3400fc0f9ee6e86e

          SHA256

          f7460f6e43791a9789af312ab6976ddb1b973aceb3ca6c3bdb42fa535bb15cbb

          SHA512

          edddf9c435236f9fbc2cd61f7a49f2132ab90534a2d5a8f520f2a545f287e69644178237a425fe0dcbe03d1c1cc58d110854b9e027e1be0ae45bdbf798e3b79d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{FD95FD41-CD5E-11EC-A484-C2F2D41BD72F}.dat
          Filesize

          4KB

          MD5

          4ab600f9a7f5416257088c1ade01f45f

          SHA1

          cc6763744dfbf1016fc4984cfdb4f64d521fd7e2

          SHA256

          0179c271ab83bd07e41525afc8ddd5a8e2ea64fc29559b49220122bf16e55749

          SHA512

          c2185cb950ce680a89d651fae0603c7805d9efcc59633a7471a3b724d2309b0f2d58f7b046cecefa754367e718514774515a498040b1b286a54eb49d6b811ab2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\.log
          Filesize

          77KB

          MD5

          87fb2569057619044fce41a2c2124ab1

          SHA1

          fa47071b8710c6c2729ab9aacd21c8f740a276be

          SHA256

          fd2af1adb3038fe25ac3d96e545181f6003ed0f0b8d55d228ef97b580834af92

          SHA512

          308f28fe619cab1832b4170ed079b31a42d6cf14d6624df3ccce5fd7e29a444ad636802237f5a9f3b32a0e78463b80a04ec39ce6c9a113e0f6f0c291d5f230dd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\006C7E83.bat
          Filesize

          65B

          MD5

          348cae913e496198548854f5ff2f6d1e

          SHA1

          a07655b9020205bd47084afd62a8bb22b48c0cdc

          SHA256

          c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

          SHA512

          799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

          Download Submit
        • C:\Users\Admin\Desktop\README_TO_DECRYPT.html
          Filesize

          2KB

          MD5

          06dd5a8e167eb2fdab3387d638c0d41a

          SHA1

          a411b42c5f4a588d531ebab7f60ea922cceff579

          SHA256

          868ebde6ef606437d20a076066c0d5b765121a5a59ee3e85ae8da8649846db7e

          SHA512

          cfb91863ab8e537c77350e077e6072a50ebeb42eb0954c38b9428974d02479c3094164f200be5cec6af7bffc8538abdf0693b0d9432d866ca3014a1bde002fd5

          Download Submit
        • C:\Users\Admin\Desktop\ResetConnect.dotm.quantum
          Filesize

          458KB

          MD5

          88dd9f9e4ff252c8210d398f72065f6d

          SHA1

          04f5b583650a0bb307dcd0c882c40b8517c58e64

          SHA256

          efccb85b4650815e4bfd797524832332b8408d16bb4f2d5b7c5648653a57a10c

          SHA512

          ab41500e74906f5987a49bd5833fe6b9ef28ebcfbf12ca2be475d819973c5e1cf1d81bc75c96b884647d50c2a25ed3e416b6122cfb847a62d3e077a20b3a1a68

          Download Submit
        • memory/804-61-0x0000000000000000-mapping.dmp
          Download
        • memory/980-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1224-54-0x0000010180000000-0x0000010180018000-memory.dmp
          Filesize

          96KB

          Download
        • memory/1308-66-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1668-77-0x0000000000000000-mapping.dmp
          Download