3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9

Analysis

max time kernel
150s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe
Size

96KB
MD5

67c3ef7b43566e275af9c20991dc4a2d
SHA1

27e206b91a72320e78b198d6f5e26e53aad04730
SHA256

3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9
SHA512

fe58c4f7cfbaec86c1b5d776df25b19a2001e33c5470bba7e8bd95a9c5d65e788f2c81439dc70b57d1511bfbe607128fabceb3e0ae009a377d352e9761002379
SSDEEP

1536:f4KTOGHcKhgnPZcHHTuipl/oUY3Fw8VLN:fpOYenPZcn3lgUYH

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1100	Rundll32.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 9 IoCs

pid	Process
1532	Rundll32.exe
1532	Rundll32.exe
1532	Rundll32.exe
1532	Rundll32.exe
1100	Rundll32.exe
1100	Rundll32.exe
1100	Rundll32.exe
1100	Rundll32.exe
1100	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wlfknw.dll	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe
File created	C:\Windows\SysWOW64\tnifmw.dll	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1692	sc.exe
944	sc.exe
1344	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1532	Rundll32.exe
1532	Rundll32.exe
1532	Rundll32.exe
1532	Rundll32.exe
1532	Rundll32.exe
1100	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1532	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	27
PID 1460 wrote to memory of 1532	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	27
PID 1460 wrote to memory of 1532	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	27
PID 1460 wrote to memory of 1532	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	27
PID 1460 wrote to memory of 1532	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	27
PID 1460 wrote to memory of 1532	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	27
PID 1460 wrote to memory of 1532	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	27
PID 1532 wrote to memory of 1332	1532	Rundll32.exe	28
PID 1532 wrote to memory of 1332	1532	Rundll32.exe	28
PID 1532 wrote to memory of 1332	1532	Rundll32.exe	28
PID 1532 wrote to memory of 1332	1532	Rundll32.exe	28
PID 1532 wrote to memory of 672	1532	Rundll32.exe	31
PID 1532 wrote to memory of 672	1532	Rundll32.exe	31
PID 1532 wrote to memory of 672	1532	Rundll32.exe	31
PID 1532 wrote to memory of 672	1532	Rundll32.exe	31
PID 1532 wrote to memory of 1344	1532	Rundll32.exe	32
PID 1532 wrote to memory of 1344	1532	Rundll32.exe	32
PID 1532 wrote to memory of 1344	1532	Rundll32.exe	32
PID 1532 wrote to memory of 1344	1532	Rundll32.exe	32
PID 1532 wrote to memory of 1692	1532	Rundll32.exe	34
PID 1532 wrote to memory of 1692	1532	Rundll32.exe	34
PID 1532 wrote to memory of 1692	1532	Rundll32.exe	34
PID 1532 wrote to memory of 1692	1532	Rundll32.exe	34
PID 1332 wrote to memory of 1732	1332	net.exe	36
PID 1332 wrote to memory of 1732	1332	net.exe	36
PID 1332 wrote to memory of 1732	1332	net.exe	36
PID 1332 wrote to memory of 1732	1332	net.exe	36
PID 672 wrote to memory of 1980	672	net.exe	35
PID 672 wrote to memory of 1980	672	net.exe	35
PID 672 wrote to memory of 1980	672	net.exe	35
PID 672 wrote to memory of 1980	672	net.exe	35
PID 1532 wrote to memory of 944	1532	Rundll32.exe	38
PID 1532 wrote to memory of 944	1532	Rundll32.exe	38
PID 1532 wrote to memory of 944	1532	Rundll32.exe	38
PID 1532 wrote to memory of 944	1532	Rundll32.exe	38
PID 1460 wrote to memory of 1100	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	40
PID 1460 wrote to memory of 1100	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	40
PID 1460 wrote to memory of 1100	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	40
PID 1460 wrote to memory of 1100	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	40
PID 1460 wrote to memory of 1100	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	40
PID 1460 wrote to memory of 1100	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	40
PID 1460 wrote to memory of 1100	1460	3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe	40

C:\Users\Admin\AppData\Local\Temp\3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe
"C:\Users\Admin\AppData\Local\Temp\3e0bd8535575f51dc788111893abfb7633dcb6d77deaba649bf656c7ac0008a9.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\tnifmw.dll Exucute
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:1980
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1344
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1692
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop PolicyAgent
    3⤵
    - Launches sc.exe
    PID:944
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\wlfknw.dll Exucute
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tnifmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
C:\Windows\SysWOW64\wlfknw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
\Users\Admin\AppData\Local\Temp\3045.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Windows\SysWOW64\tnifmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
\Windows\SysWOW64\tnifmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
\Windows\SysWOW64\tnifmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
\Windows\SysWOW64\tnifmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
\Windows\SysWOW64\wlfknw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
\Windows\SysWOW64\wlfknw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
\Windows\SysWOW64\wlfknw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
\Windows\SysWOW64\wlfknw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
memory/1532-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download