f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
31s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exe
Size

99KB
MD5

aade83133ff5534f889235dbcfa64050
SHA1

bc72ef701a952d8f9d43ce3da6d55dd475974bc7
SHA256

1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a
SHA512

8d737fbabc26bd3246fdb2299cb54a367e900fdfc5af3660a3109469dde3d10356e2401b7f4f4a7daba91738af5e244548d149ae6f68cc1e6dd64e2b6d8e88b6
SSDEEP

3072:ejg4AmKsOol4XiWTUNvbbb3QhYQ9wHWRStAZIXxB:WWsOol4XijNDXu9sAAB

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1388 rundll32.exe
1388 rundll32.exe
1388 rundll32.exe
1388 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exeRundll32.exe

description	pid	process	target process
PID 1124 wrote to memory of 276	1124	1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exe	Rundll32.exe
PID 1124 wrote to memory of 276	1124	1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exe	Rundll32.exe
PID 1124 wrote to memory of 276	1124	1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exe	Rundll32.exe
PID 276 wrote to memory of 1388	276	Rundll32.exe	rundll32.exe
PID 276 wrote to memory of 1388	276	Rundll32.exe	rundll32.exe
PID 276 wrote to memory of 1388	276	Rundll32.exe	rundll32.exe
PID 276 wrote to memory of 1388	276	Rundll32.exe	rundll32.exe
PID 276 wrote to memory of 1388	276	Rundll32.exe	rundll32.exe
PID 276 wrote to memory of 1388	276	Rundll32.exe	rundll32.exe
PID 276 wrote to memory of 1388	276	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exe
"C:\Users\Admin\AppData\Local\Temp\1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\sqlunirl.dll,AbortSystemShutdown_
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\sqlunirl.dll,AbortSystemShutdown_
    3⤵
    - Loads dropped DLL
    PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempInstall\sqlunirl.dll

Filesize
176KB

MD5
549d1cb099c1cee6ad3df69ad3587b70

SHA1
495af7f5b81989ed925bf2e1463396816948485e

SHA256
2cb7d3899d50aec2fe6b63acfe9222629971adbceeadfc03a1d5c88d9254c2d4

SHA512
4164316289fb1aec1ed2a430672dceb9fd21141d376f40d95e33d0b254d45aa64bcee40774389d4d181f5e83abcbdf5167e813b0885627949a0e91bccdfcab4e

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\sqlunirl.dll

Filesize
176KB

MD5
549d1cb099c1cee6ad3df69ad3587b70

SHA1
495af7f5b81989ed925bf2e1463396816948485e

SHA256
2cb7d3899d50aec2fe6b63acfe9222629971adbceeadfc03a1d5c88d9254c2d4

SHA512
4164316289fb1aec1ed2a430672dceb9fd21141d376f40d95e33d0b254d45aa64bcee40774389d4d181f5e83abcbdf5167e813b0885627949a0e91bccdfcab4e

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\sqlunirl.dll

Filesize
176KB

MD5
549d1cb099c1cee6ad3df69ad3587b70

SHA1
495af7f5b81989ed925bf2e1463396816948485e

SHA256
2cb7d3899d50aec2fe6b63acfe9222629971adbceeadfc03a1d5c88d9254c2d4

SHA512
4164316289fb1aec1ed2a430672dceb9fd21141d376f40d95e33d0b254d45aa64bcee40774389d4d181f5e83abcbdf5167e813b0885627949a0e91bccdfcab4e

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\sqlunirl.dll

Filesize
176KB

MD5
549d1cb099c1cee6ad3df69ad3587b70

SHA1
495af7f5b81989ed925bf2e1463396816948485e

SHA256
2cb7d3899d50aec2fe6b63acfe9222629971adbceeadfc03a1d5c88d9254c2d4

SHA512
4164316289fb1aec1ed2a430672dceb9fd21141d376f40d95e33d0b254d45aa64bcee40774389d4d181f5e83abcbdf5167e813b0885627949a0e91bccdfcab4e

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\sqlunirl.dll

Filesize
176KB

MD5
549d1cb099c1cee6ad3df69ad3587b70

SHA1
495af7f5b81989ed925bf2e1463396816948485e

SHA256
2cb7d3899d50aec2fe6b63acfe9222629971adbceeadfc03a1d5c88d9254c2d4

SHA512
4164316289fb1aec1ed2a430672dceb9fd21141d376f40d95e33d0b254d45aa64bcee40774389d4d181f5e83abcbdf5167e813b0885627949a0e91bccdfcab4e

Download Submit
memory/276-55-0x0000000000000000-mapping.dmp

Download
memory/1124-54-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1388-57-0x0000000000000000-mapping.dmp

Download
memory/1388-58-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download