3d5ad850e0ac06a94cff13d7bf1d1567ac1a067d943b9c8366b593b993b3d464

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-09-2022 15:25

Target

PERQ.joboptions
Size

29KB
MD5

c93723777669f56c1220331a8e3ff1a9
SHA1

8006b171ab37d600de2dba842d00ae2677429fcc
SHA256

a6afe776f215f6cfc27d961b679392b5992081b0ce6eb8bc5a160100a419c863
SHA512

2633fe97d482bf0e12e527e1a20ecd372d9a9342401a777aa1d6c609d18f8749d7682033a75e1dddb47dfb41b44450e522ae72a1fb5f485a2de1505264c088b3
SSDEEP

384:OOVve32WylD+h+aNiUMEMkMxpMtFIjBPRDJ:O02mWylD+VixEM0IjBpV

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\joboptions_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\joboptions_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.joboptions\ = "joboptions_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\joboptions_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\joboptions_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.joboptions	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\joboptions_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\joboptions_auto_file\shell	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1764 AcroRd32.exe
1764 AcroRd32.exe
1764 AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1648 wrote to memory of 964	1648	cmd.exe	rundll32.exe
PID 1648 wrote to memory of 964	1648	cmd.exe	rundll32.exe
PID 1648 wrote to memory of 964	1648	cmd.exe	rundll32.exe
PID 964 wrote to memory of 1764	964	rundll32.exe	AcroRd32.exe
PID 964 wrote to memory of 1764	964	rundll32.exe	AcroRd32.exe
PID 964 wrote to memory of 1764	964	rundll32.exe	AcroRd32.exe
PID 964 wrote to memory of 1764	964	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PERQ.joboptions
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PERQ.joboptions
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PERQ.joboptions"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1764

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/964-76-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1764-81-0x0000000000000000-mapping.dmp

Download
memory/1764-82-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download