eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe
Size

87KB
MD5

c25fb94942b3326caae687781f4e67c2
SHA1

026c6e172ca5a8b6aa16b10b411f5c40dd0f43c6
SHA256

eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489
SHA512

00d912ad55f20e64b7f063a5ca39dbadae4ef7f7b8be05ecd14ab64d6336e5db0f66c18febc562ba5a0e898215a4b0ace0271e3f96254fa70fdc100e3f9e0ac5
SSDEEP

1536:Pbi5LqQpHnuhmUC0qQuB0ReWxyVZ9z91LEyUwV:PeLqIB0ReWxUzL/

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1556	Rundll32.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 9 IoCs

pid	Process
1212	Rundll32.exe
1212	Rundll32.exe
1212	Rundll32.exe
1212	Rundll32.exe
1556	Rundll32.exe
1556	Rundll32.exe
1556	Rundll32.exe
1556	Rundll32.exe
1556	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\btjmnw.dll	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe
File created	C:\Windows\SysWOW64\wjwonw.dll	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1344	sc.exe
1648	sc.exe
872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1212	Rundll32.exe
1212	Rundll32.exe
1212	Rundll32.exe
1212	Rundll32.exe
1212	Rundll32.exe
1556	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1212	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	28
PID 1004 wrote to memory of 1212	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	28
PID 1004 wrote to memory of 1212	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	28
PID 1004 wrote to memory of 1212	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	28
PID 1004 wrote to memory of 1212	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	28
PID 1004 wrote to memory of 1212	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	28
PID 1004 wrote to memory of 1212	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	28
PID 1212 wrote to memory of 1492	1212	Rundll32.exe	29
PID 1212 wrote to memory of 1492	1212	Rundll32.exe	29
PID 1212 wrote to memory of 1492	1212	Rundll32.exe	29
PID 1212 wrote to memory of 1492	1212	Rundll32.exe	29
PID 1212 wrote to memory of 1536	1212	Rundll32.exe	33
PID 1212 wrote to memory of 1536	1212	Rundll32.exe	33
PID 1212 wrote to memory of 1536	1212	Rundll32.exe	33
PID 1212 wrote to memory of 1536	1212	Rundll32.exe	33
PID 1212 wrote to memory of 1344	1212	Rundll32.exe	32
PID 1212 wrote to memory of 1344	1212	Rundll32.exe	32
PID 1212 wrote to memory of 1344	1212	Rundll32.exe	32
PID 1212 wrote to memory of 1344	1212	Rundll32.exe	32
PID 1212 wrote to memory of 1648	1212	Rundll32.exe	35
PID 1212 wrote to memory of 1648	1212	Rundll32.exe	35
PID 1212 wrote to memory of 1648	1212	Rundll32.exe	35
PID 1212 wrote to memory of 1648	1212	Rundll32.exe	35
PID 1492 wrote to memory of 564	1492	net.exe	37
PID 1492 wrote to memory of 564	1492	net.exe	37
PID 1492 wrote to memory of 564	1492	net.exe	37
PID 1492 wrote to memory of 564	1492	net.exe	37
PID 1536 wrote to memory of 684	1536	net.exe	38
PID 1536 wrote to memory of 684	1536	net.exe	38
PID 1536 wrote to memory of 684	1536	net.exe	38
PID 1536 wrote to memory of 684	1536	net.exe	38
PID 1212 wrote to memory of 872	1212	Rundll32.exe	39
PID 1212 wrote to memory of 872	1212	Rundll32.exe	39
PID 1212 wrote to memory of 872	1212	Rundll32.exe	39
PID 1212 wrote to memory of 872	1212	Rundll32.exe	39
PID 1004 wrote to memory of 1556	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	41
PID 1004 wrote to memory of 1556	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	41
PID 1004 wrote to memory of 1556	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	41
PID 1004 wrote to memory of 1556	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	41
PID 1004 wrote to memory of 1556	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	41
PID 1004 wrote to memory of 1556	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	41
PID 1004 wrote to memory of 1556	1004	eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe	41

C:\Users\Admin\AppData\Local\Temp\eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe
"C:\Users\Admin\AppData\Local\Temp\eae7bb76084d796a253cd8b55da8c3f60c1a38fbc3d4740ab3ffbf9abe309489.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\btjmnw.dll Exucute
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:564
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1344
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:684
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1648
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop PolicyAgent
    3⤵
    - Launches sc.exe
    PID:872
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\wjwonw.dll Exucute
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\btjmnw.dll

Filesize
61KB

MD5
81fe4fab769454c9f3ae5c0738a01caf

SHA1
de804adb98f37aa32b270e7ceebd6aa50c058bb1

SHA256
34818d6c3335477ceb1c2e8d5448408acd9bf53cb48a570ad9f2a49664526959

SHA512
114799cb47ec463081d6fe8d11828c5d11042f823f5fe9ce15f3a4220250a01c48f0645bfae45149ed5d41d59075ff282b7279e2388b793f6422c7f70c0337f0

Download Submit
C:\Windows\SysWOW64\wjwonw.dll

Filesize
21KB

MD5
1627a8e254901a9604addaf5e14473f2

SHA1
0307dca0863f1b02f3f6fb8393c166285d80983b

SHA256
1831fe4906497d1d8f09c1cb93d6f80559259c29f07e50bc43828f0304e1a913

SHA512
2f0da8ddcb9e0505a8ccf08b189727be2f7324a3598edafd3bf055df60e1dc46fead5946d20210619199881069da049dbfcc78e5082a0b89048173c9c7cdd603

Download Submit
\Users\Admin\AppData\Local\Temp\406B.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Windows\SysWOW64\btjmnw.dll

Filesize
61KB

MD5
81fe4fab769454c9f3ae5c0738a01caf

SHA1
de804adb98f37aa32b270e7ceebd6aa50c058bb1

SHA256
34818d6c3335477ceb1c2e8d5448408acd9bf53cb48a570ad9f2a49664526959

SHA512
114799cb47ec463081d6fe8d11828c5d11042f823f5fe9ce15f3a4220250a01c48f0645bfae45149ed5d41d59075ff282b7279e2388b793f6422c7f70c0337f0

Download Submit
\Windows\SysWOW64\btjmnw.dll

Filesize
61KB

MD5
81fe4fab769454c9f3ae5c0738a01caf

SHA1
de804adb98f37aa32b270e7ceebd6aa50c058bb1

SHA256
34818d6c3335477ceb1c2e8d5448408acd9bf53cb48a570ad9f2a49664526959

SHA512
114799cb47ec463081d6fe8d11828c5d11042f823f5fe9ce15f3a4220250a01c48f0645bfae45149ed5d41d59075ff282b7279e2388b793f6422c7f70c0337f0

Download Submit
\Windows\SysWOW64\btjmnw.dll

Filesize
61KB

MD5
81fe4fab769454c9f3ae5c0738a01caf

SHA1
de804adb98f37aa32b270e7ceebd6aa50c058bb1

SHA256
34818d6c3335477ceb1c2e8d5448408acd9bf53cb48a570ad9f2a49664526959

SHA512
114799cb47ec463081d6fe8d11828c5d11042f823f5fe9ce15f3a4220250a01c48f0645bfae45149ed5d41d59075ff282b7279e2388b793f6422c7f70c0337f0

Download Submit
\Windows\SysWOW64\btjmnw.dll

Filesize
61KB

MD5
81fe4fab769454c9f3ae5c0738a01caf

SHA1
de804adb98f37aa32b270e7ceebd6aa50c058bb1

SHA256
34818d6c3335477ceb1c2e8d5448408acd9bf53cb48a570ad9f2a49664526959

SHA512
114799cb47ec463081d6fe8d11828c5d11042f823f5fe9ce15f3a4220250a01c48f0645bfae45149ed5d41d59075ff282b7279e2388b793f6422c7f70c0337f0

Download Submit
\Windows\SysWOW64\wjwonw.dll

Filesize
21KB

MD5
1627a8e254901a9604addaf5e14473f2

SHA1
0307dca0863f1b02f3f6fb8393c166285d80983b

SHA256
1831fe4906497d1d8f09c1cb93d6f80559259c29f07e50bc43828f0304e1a913

SHA512
2f0da8ddcb9e0505a8ccf08b189727be2f7324a3598edafd3bf055df60e1dc46fead5946d20210619199881069da049dbfcc78e5082a0b89048173c9c7cdd603

Download Submit
\Windows\SysWOW64\wjwonw.dll

Filesize
21KB

MD5
1627a8e254901a9604addaf5e14473f2

SHA1
0307dca0863f1b02f3f6fb8393c166285d80983b

SHA256
1831fe4906497d1d8f09c1cb93d6f80559259c29f07e50bc43828f0304e1a913

SHA512
2f0da8ddcb9e0505a8ccf08b189727be2f7324a3598edafd3bf055df60e1dc46fead5946d20210619199881069da049dbfcc78e5082a0b89048173c9c7cdd603

Download Submit
\Windows\SysWOW64\wjwonw.dll

Filesize
21KB

MD5
1627a8e254901a9604addaf5e14473f2

SHA1
0307dca0863f1b02f3f6fb8393c166285d80983b

SHA256
1831fe4906497d1d8f09c1cb93d6f80559259c29f07e50bc43828f0304e1a913

SHA512
2f0da8ddcb9e0505a8ccf08b189727be2f7324a3598edafd3bf055df60e1dc46fead5946d20210619199881069da049dbfcc78e5082a0b89048173c9c7cdd603

Download Submit
\Windows\SysWOW64\wjwonw.dll

Filesize
21KB

MD5
1627a8e254901a9604addaf5e14473f2

SHA1
0307dca0863f1b02f3f6fb8393c166285d80983b

SHA256
1831fe4906497d1d8f09c1cb93d6f80559259c29f07e50bc43828f0304e1a913

SHA512
2f0da8ddcb9e0505a8ccf08b189727be2f7324a3598edafd3bf055df60e1dc46fead5946d20210619199881069da049dbfcc78e5082a0b89048173c9c7cdd603

Download Submit
memory/1212-55-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download