de1ed7c61bb7a5fb0d95f16b6c4a4029cd825acfc51cafcde8197988c1e31697

Analysis

max time kernel
153s
max time network
77s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 22:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de1ed7c61bb7a5fb0d95f16b6c4a4029cd825acfc51cafcde8197988c1e31697.dll
Size

108KB
MD5

763984081710ab6c7b9a675cc34d8152
SHA1

7e4099b833380525aa8adeb941ee365471bc140b
SHA256

de1ed7c61bb7a5fb0d95f16b6c4a4029cd825acfc51cafcde8197988c1e31697
SHA512

77d3560aaa0ef3170ef5da5b464a7a742dd9915181387483fff71363a61d2a88353dc28c210549eb41fb78a7d24b868066b44338a5d6a247b199c7c3c6b374bb
SSDEEP

1536:gKYqDZJfmIuj6zX5kerYmaZoGwKf6WMaQVSAHzVnAyCBcGprdxgEqfhpl3H7e:S0z+ITzJFW9fnMaQHVnGBDgJt7

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	960	rundll32.exe
3	960	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/328-56-0x000000000B000000-0x000000000B032000-memory.dmp	upx
behavioral1/memory/328-59-0x000000000B000000-0x000000000B032000-memory.dmp	upx
behavioral1/memory/960-67-0x000000000B000000-0x000000000B032000-memory.dmp	upx
behavioral1/memory/328-68-0x000000000B000000-0x000000000B032000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
960	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\g7rjeeb.bbr	rundll32.exe
File created	C:\PROGRA~3\beejr7g.gsa	rundll32.exe
File created	C:\PROGRA~3\g7rjeeb.bbr	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 328	756	rundll32.exe	27
PID 756 wrote to memory of 328	756	rundll32.exe	27
PID 756 wrote to memory of 328	756	rundll32.exe	27
PID 756 wrote to memory of 328	756	rundll32.exe	27
PID 756 wrote to memory of 328	756	rundll32.exe	27
PID 756 wrote to memory of 328	756	rundll32.exe	27
PID 756 wrote to memory of 328	756	rundll32.exe	27
PID 328 wrote to memory of 960	328	rundll32.exe	28
PID 328 wrote to memory of 960	328	rundll32.exe	28
PID 328 wrote to memory of 960	328	rundll32.exe	28
PID 328 wrote to memory of 960	328	rundll32.exe	28
PID 328 wrote to memory of 960	328	rundll32.exe	28
PID 328 wrote to memory of 960	328	rundll32.exe	28
PID 328 wrote to memory of 960	328	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de1ed7c61bb7a5fb0d95f16b6c4a4029cd825acfc51cafcde8197988c1e31697.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\de1ed7c61bb7a5fb0d95f16b6c4a4029cd825acfc51cafcde8197988c1e31697.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\beejr7g.gsa,MMS1
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\beejr7g.gsa

Filesize
108KB

MD5
763984081710ab6c7b9a675cc34d8152

SHA1
7e4099b833380525aa8adeb941ee365471bc140b

SHA256
de1ed7c61bb7a5fb0d95f16b6c4a4029cd825acfc51cafcde8197988c1e31697

SHA512
77d3560aaa0ef3170ef5da5b464a7a742dd9915181387483fff71363a61d2a88353dc28c210549eb41fb78a7d24b868066b44338a5d6a247b199c7c3c6b374bb

Download Submit
\PROGRA~3\beejr7g.gsa

Filesize
108KB

MD5
763984081710ab6c7b9a675cc34d8152

SHA1
7e4099b833380525aa8adeb941ee365471bc140b

SHA256
de1ed7c61bb7a5fb0d95f16b6c4a4029cd825acfc51cafcde8197988c1e31697

SHA512
77d3560aaa0ef3170ef5da5b464a7a742dd9915181387483fff71363a61d2a88353dc28c210549eb41fb78a7d24b868066b44338a5d6a247b199c7c3c6b374bb

Download Submit
memory/328-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/328-56-0x000000000B000000-0x000000000B032000-memory.dmp

Filesize
200KB

Download
memory/328-59-0x000000000B000000-0x000000000B032000-memory.dmp

Filesize
200KB

Download
memory/328-68-0x000000000B000000-0x000000000B032000-memory.dmp

Filesize
200KB

Download
memory/960-67-0x000000000B000000-0x000000000B032000-memory.dmp

Filesize
200KB

Download