f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
34s
max time network
54s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba8824a7c7b7db0f89d566719b6a2c0893158b37b5ac45dd138acbdf6d7e9d63.exe
Size

319KB
MD5

fb1254fbffaa2c43968a9a9244161b48
SHA1

5df4f1312886b071ce38efa442e67e64ecc0dd5c
SHA256

ba8824a7c7b7db0f89d566719b6a2c0893158b37b5ac45dd138acbdf6d7e9d63
SHA512

fde7690e679a30038e335c721d8cf2102221e90c1297ce13c5afb9014029252872c7ed5ddb27cf890a3a0a306add502fe77f06e9bbf6de5fd535916e71fe0ffa
SSDEEP

6144:8WsOol4XijN1onpmZE8e94K4CBfsvhutda5cylYdce68BGiMtPtFbqB6A3P8/:9sOol4XiTonpWdK4B5hSHdce68BGVVFN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1736 rundll32.exe
1736 rundll32.exe
1736 rundll32.exe
1736 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1736	rundll32.exe
1736	rundll32.exe
1736	rundll32.exe
1736	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ba8824a7c7b7db0f89d566719b6a2c0893158b37b5ac45dd138acbdf6d7e9d63.exeRundll32.exe

description	pid	process	target process
PID 1564 wrote to memory of 1464	1564	ba8824a7c7b7db0f89d566719b6a2c0893158b37b5ac45dd138acbdf6d7e9d63.exe	Rundll32.exe
PID 1564 wrote to memory of 1464	1564	ba8824a7c7b7db0f89d566719b6a2c0893158b37b5ac45dd138acbdf6d7e9d63.exe	Rundll32.exe
PID 1564 wrote to memory of 1464	1564	ba8824a7c7b7db0f89d566719b6a2c0893158b37b5ac45dd138acbdf6d7e9d63.exe	Rundll32.exe
PID 1464 wrote to memory of 1736	1464	Rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1736	1464	Rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1736	1464	Rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1736	1464	Rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1736	1464	Rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1736	1464	Rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 1736	1464	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ba8824a7c7b7db0f89d566719b6a2c0893158b37b5ac45dd138acbdf6d7e9d63.exe
"C:\Users\Admin\AppData\Local\Temp\ba8824a7c7b7db0f89d566719b6a2c0893158b37b5ac45dd138acbdf6d7e9d63.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\vfprintpthelper.dll,RlLades
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\vfprintpthelper.dll,RlLades
    3⤵
    - Loads dropped DLL
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempInstall\vfprintpthelper.dll

Filesize
823KB

MD5
587b6a92374b3995787ce3034d20900e

SHA1
50a9a72e882d968f98c26663635885fc1b74ce27

SHA256
99085290fdd4069a0a2c0e1d33c508a7fd08044c2f36d87c2e32df9ca77af8d7

SHA512
99f87b741113a55b1b4bc7008f997dfb19f39c6476380133a26b2b40d912f1772f77efbac1e0cadbf8d83ec43655570ab3aeee32b17d8323adfc15857dc5bdd6

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\vfprintpthelper.dll

Filesize
823KB

MD5
587b6a92374b3995787ce3034d20900e

SHA1
50a9a72e882d968f98c26663635885fc1b74ce27

SHA256
99085290fdd4069a0a2c0e1d33c508a7fd08044c2f36d87c2e32df9ca77af8d7

SHA512
99f87b741113a55b1b4bc7008f997dfb19f39c6476380133a26b2b40d912f1772f77efbac1e0cadbf8d83ec43655570ab3aeee32b17d8323adfc15857dc5bdd6

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\vfprintpthelper.dll

Filesize
823KB

MD5
587b6a92374b3995787ce3034d20900e

SHA1
50a9a72e882d968f98c26663635885fc1b74ce27

SHA256
99085290fdd4069a0a2c0e1d33c508a7fd08044c2f36d87c2e32df9ca77af8d7

SHA512
99f87b741113a55b1b4bc7008f997dfb19f39c6476380133a26b2b40d912f1772f77efbac1e0cadbf8d83ec43655570ab3aeee32b17d8323adfc15857dc5bdd6

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\vfprintpthelper.dll

Filesize
823KB

MD5
587b6a92374b3995787ce3034d20900e

SHA1
50a9a72e882d968f98c26663635885fc1b74ce27

SHA256
99085290fdd4069a0a2c0e1d33c508a7fd08044c2f36d87c2e32df9ca77af8d7

SHA512
99f87b741113a55b1b4bc7008f997dfb19f39c6476380133a26b2b40d912f1772f77efbac1e0cadbf8d83ec43655570ab3aeee32b17d8323adfc15857dc5bdd6

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\vfprintpthelper.dll

Filesize
823KB

MD5
587b6a92374b3995787ce3034d20900e

SHA1
50a9a72e882d968f98c26663635885fc1b74ce27

SHA256
99085290fdd4069a0a2c0e1d33c508a7fd08044c2f36d87c2e32df9ca77af8d7

SHA512
99f87b741113a55b1b4bc7008f997dfb19f39c6476380133a26b2b40d912f1772f77efbac1e0cadbf8d83ec43655570ab3aeee32b17d8323adfc15857dc5bdd6

Download Submit
memory/1464-55-0x0000000000000000-mapping.dmp

Download
memory/1564-54-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/1736-57-0x0000000000000000-mapping.dmp

Download
memory/1736-58-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download