eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe
Size

1024KB
MD5

77754f3a52aa773c9d3a7800e6ef5175
SHA1

35b044fd8435b6a886f5ad69938b4d5f60c92069
SHA256

eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24
SHA512

14a3d73698ea2872508e9ed2fcc62aea016a56da096bd5b24cfed3e85ccf771c794a69bdabf48c26d6f1eddb34be04883ad7099a14b60ec36cb879968717d128

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

rundll32.comrundll32.com

pid process

2024 rundll32.com
820 rundll32.com
Loads dropped DLL 3 IoCs

Processes:

eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.execmd.exerundll32.com

pid process

1564 eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe
624 cmd.exe
2024 rundll32.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1972 PING.EXE
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

rundll32.comrundll32.com

pid process

2024 rundll32.com
2024 rundll32.com
2024 rundll32.com
820 rundll32.com
820 rundll32.com
820 rundll32.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

rundll32.comrundll32.com

pid process

2024 rundll32.com
2024 rundll32.com
2024 rundll32.com
820 rundll32.com
820 rundll32.com
820 rundll32.com

pid	process
2024	rundll32.com
820	rundll32.com

pid	process
1564	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe
624	cmd.exe
2024	rundll32.com

pid	process
1972	PING.EXE

pid	process
2024	rundll32.com
2024	rundll32.com
2024	rundll32.com
820	rundll32.com
820	rundll32.com
820	rundll32.com

pid	process
2024	rundll32.com
2024	rundll32.com
2024	rundll32.com
820	rundll32.com
820	rundll32.com
820	rundll32.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.execmd.exerundll32.comrundll32.com

description	pid	process	target process
PID 1564 wrote to memory of 624	1564	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe	cmd.exe
PID 1564 wrote to memory of 624	1564	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe	cmd.exe
PID 1564 wrote to memory of 624	1564	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe	cmd.exe
PID 1564 wrote to memory of 624	1564	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe	cmd.exe
PID 624 wrote to memory of 1236	624	cmd.exe	certutil.exe
PID 624 wrote to memory of 1236	624	cmd.exe	certutil.exe
PID 624 wrote to memory of 1236	624	cmd.exe	certutil.exe
PID 624 wrote to memory of 1236	624	cmd.exe	certutil.exe
PID 624 wrote to memory of 2024	624	cmd.exe	rundll32.com
PID 624 wrote to memory of 2024	624	cmd.exe	rundll32.com
PID 624 wrote to memory of 2024	624	cmd.exe	rundll32.com
PID 624 wrote to memory of 2024	624	cmd.exe	rundll32.com
PID 2024 wrote to memory of 820	2024	rundll32.com	rundll32.com
PID 2024 wrote to memory of 820	2024	rundll32.com	rundll32.com
PID 2024 wrote to memory of 820	2024	rundll32.com	rundll32.com
PID 2024 wrote to memory of 820	2024	rundll32.com	rundll32.com
PID 624 wrote to memory of 1972	624	cmd.exe	PING.EXE
PID 624 wrote to memory of 1972	624	cmd.exe	PING.EXE
PID 624 wrote to memory of 1972	624	cmd.exe	PING.EXE
PID 624 wrote to memory of 1972	624	cmd.exe	PING.EXE
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe
PID 820 wrote to memory of 580	820	rundll32.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe
"C:\Users\Admin\AppData\Local\Temp\eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\cmd.exe
"cmd" /c <nul set /p ="M" > rundll32.com & type xWYX.com >> rundll32.com & del xWYX.com & certutil -decode Ulu.com H & rundll32.com H & ping 127.0.0.1 -n 2 > nul & del Ulu.com & del H
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\certutil.exe
certutil -decode Ulu.com H
3⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\rundll32.com
rundll32.com H
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\rundll32.com
C:\Users\Admin\AppData\Local\Temp\rundll32.com H
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
PID:580

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:1972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H
Filesize
355KB

MD5
1a0d0b76fc907949660c8a9647a370c5

SHA1
8b993fda4f18d24fd0327c62b264b941054a5e9c

SHA256
c55f427b3a4be77726fa75009e2da71ef10e559eb8fbd26dde4b5ff760c03819

SHA512
cfb770790d381a4a9e824ffac0da2da2157a9f7d3f50763cdda4e40593bbb95196949401c14e0ba96a000c3aa6e115f5ef728d5e7f63acd522cb011fca5cb3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ulu.com
Filesize
488KB

MD5
3998a649753fd0b941d5aa7ebbb6449d

SHA1
ea76fac1bb3dc5421d46d7acb24000bac9207868

SHA256
fc947384ac807e132ed445e7a51e91317bcaa190b1411f585aa2feff93611e2b

SHA512
257bcfecf65b20d0c61267208eb531185a47ccf045f7929ce80199908ef7017dc7ba901349a015fd9c6aac38deed8e3077b9a0e847fba097003910d2c38ce8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrDZ.com
Filesize
163KB

MD5
a671804ec84cb10f11b17ec84a16b138

SHA1
a95cf082f916f3494388e4011d5f81ec7cacb0aa

SHA256
c28657fb7b3c4ef32ebfea72277515e5a7198f001fb367701f71481986fccafb

SHA512
dd769c0f8e471a7d4b85d5b3fa92e2267135b84afc6d3627d5a691b54a2cec18eac5fa267971637e9670287947d3b6e1858238b21acbd0dc1f05d769187a37df

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWYX.com
Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF9EB.tmp\dRjjtFp.dll
Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
\Users\Admin\AppData\Local\Temp\rundll32.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\rundll32.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/580-85-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-95-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-131-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-129-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-127-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-125-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-73-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-75-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-77-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-79-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-81-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-83-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-123-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-87-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-89-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-91-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-93-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-121-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-97-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-99-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-101-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-103-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-105-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-107-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-109-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-111-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-113-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-115-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-117-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/580-119-0x00000000004B0000-0x00000000014B0000-memory.dmp

Filesize
16.0MB

Download
memory/624-56-0x0000000000000000-mapping.dmp

Download
memory/820-68-0x0000000000000000-mapping.dmp

Download
memory/1236-58-0x0000000000000000-mapping.dmp

Download
memory/1564-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1972-72-0x0000000000000000-mapping.dmp

Download
memory/2024-62-0x0000000000000000-mapping.dmp

Download