Overview

overview

8

Static

static

moavjcbg.dll

windows7_x64

8

moavjcbg.dll

windows10-2004_x64

8

Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    moavjcbg.dll

  • Size

    87KB

  • MD5

    fee171fbd4ec2ef64bd04567a80df805

  • SHA1

    2db3c49ec6151c1a3c98a7b92006629741b403b5

  • SHA256

    9146be1fc85a94880644670cbf63545efb6db43516d79f42a8792342f684a5ca

  • SHA512

    c66a675706a5c06202366ad6ef2a64bb82d033037447bd212ef479694d26ce040874a65a48f6f9af04af87a5bf1c45696fc2806e5095dac91d3d3b189401712c

Score
8/10
ransomware

Malware Config

Signatures

  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\moavjcbg.dll,#1
    1⤵
    • Modifies extensions of user files
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://fed89e002extceymt.rowarea.info/xtceymt^&1^&40102110^&73^&421^&12
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://fed89e002extceymt.rowarea.info/xtceymt&1&40102110&73&421&12
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1288
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1748 -s 756
      2⤵
      • Program crash
      PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\77JOA5QZ.txt
    Filesize

    604B

    MD5

    6abedc5d9979e5bd23a83d9fb20823c1

    SHA1

    cc28e0216590dfca0b21a14c020a99b5bacb0840

    SHA256

    b37f854334acf8f57a582ebc125ef1c2f99bca2da15f320fad0133cf3d840ee1

    SHA512

    befaa6e22bec97d56489814b29496b921a466f046cf3de654bb261548ed20c2b262ba4ea6140aef46cd34dbc83fdc5dbd0df2225a584373e48cfa393f4b6bdb9

    Download Submit
  • memory/1680-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1680-57-0x000007FEFC021000-0x000007FEFC023000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1688-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1748-54-0x0000000000180000-0x000000000018B000-memory.dmp
    Filesize

    44KB

    Download