c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6

Analysis

max time kernel
148s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
Size

280KB
MD5

49f57039c3956225756f544bb987e3c0
SHA1

cee23d2454fd080f7bd871b06c4846ba00318759
SHA256

c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6
SHA512

1dffbea58f49c1c709439c3da8a6c16cd2705903b5e81cee6d960fb277be1e824ff93c2b9c2d0279d43a9e1c33ec280a6eb45946d2be836d089745d7a542c107
SSDEEP

6144:SsJvXdjle3O25F06ZWzC9MY/d7pUXoxTF0fLqOL1pOLfr7HHo:LvXve3kP0d/F+D/LKLfr7no

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
1640	rUNDLL32.exe
1640	rUNDLL32.exe
1640	rUNDLL32.exe
1640	rUNDLL32.exe
108	rundll32.exe
108	rundll32.exe
108	rundll32.exe
108	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Mozilla\\snstnnoj.dll\",DllRegisterServer"	rUNDLL32.exe
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\7-Zip = "RunDLL32.exe C:\\Users\\Admin\\AppData\\Local\\7-Zip\\wgiuyzbe.dll,DllCanUnloadNow"	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	RunDLL32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozilla = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Mozilla\\snstnnoj.dll\",DllRegisterServer"	rUNDLL32.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Adobe\\Mozilla\\snstnnoj.dll\",DllRegisterServer"	rUNDLL32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1640	rUNDLL32.exe
1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
1640	rUNDLL32.exe
1640	rUNDLL32.exe
1640	rUNDLL32.exe
1640	rUNDLL32.exe
108	rundll32.exe
108	rundll32.exe
1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
324	RunDLL32.exe
324	RunDLL32.exe
324	RunDLL32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
324	RunDLL32.exe
108	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1640	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	28
PID 1492 wrote to memory of 1640	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	28
PID 1492 wrote to memory of 1640	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	28
PID 1492 wrote to memory of 1640	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	28
PID 1492 wrote to memory of 1640	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	28
PID 1492 wrote to memory of 1640	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	28
PID 1492 wrote to memory of 1640	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	28
PID 1640 wrote to memory of 108	1640	rUNDLL32.exe	30
PID 1640 wrote to memory of 108	1640	rUNDLL32.exe	30
PID 1640 wrote to memory of 108	1640	rUNDLL32.exe	30
PID 1640 wrote to memory of 108	1640	rUNDLL32.exe	30
PID 1640 wrote to memory of 108	1640	rUNDLL32.exe	30
PID 1640 wrote to memory of 108	1640	rUNDLL32.exe	30
PID 1640 wrote to memory of 108	1640	rUNDLL32.exe	30
PID 1492 wrote to memory of 324	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	31
PID 1492 wrote to memory of 324	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	31
PID 1492 wrote to memory of 324	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	31
PID 1492 wrote to memory of 324	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	31
PID 1492 wrote to memory of 324	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	31
PID 1492 wrote to memory of 324	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	31
PID 1492 wrote to memory of 324	1492	c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe	31

C:\Users\Admin\AppData\Local\Temp\c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe
"C:\Users\Admin\AppData\Local\Temp\c43e594b3cf70a6264912ddd916e96b5c8c86c5c89a70b2f00315607389046f6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\rUNDLL32.exe
  rUNDLL32 "C:\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll",DllRegisterServer
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Adobe\Mozilla\snstnnoj.dll",DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:108
- C:\Windows\SysWOW64\RunDLL32.exe
  RunDLL32.exe C:\Users\Admin\AppData\Local\7-Zip\wgiuyzbe.dll,DllCanUnloadNow
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7-Zip\wgiuyzbe.dll

Filesize
538KB

MD5
a8f6b06e26a017e6d1ae000b9e27b631

SHA1
f6ca39e93612dc7d40e5c7509b229d4505267f26

SHA256
8db4c688301cf923f12c56fc47f5a830316e3544a822a731964400e2d76f2b8c

SHA512
5cb5f6e6e78a9f61bfb77d566c2ee54a4581b0c27627432d160667d75c73144c5fb6cb3b9fad08a46b85997e605946b341638e74c744c3fa11efd3ed9010008e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Mozilla\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
\Users\Admin\AppData\Local\Adobe\Mozilla\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
\Users\Admin\AppData\Local\Adobe\Mozilla\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
\Users\Admin\AppData\Local\Adobe\Mozilla\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
\Users\Admin\AppData\Local\Adobe\Mozilla\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1C98.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\snstnnoj\fdkvamvp.dll

Filesize
538KB

MD5
a8f6b06e26a017e6d1ae000b9e27b631

SHA1
f6ca39e93612dc7d40e5c7509b229d4505267f26

SHA256
8db4c688301cf923f12c56fc47f5a830316e3544a822a731964400e2d76f2b8c

SHA512
5cb5f6e6e78a9f61bfb77d566c2ee54a4581b0c27627432d160667d75c73144c5fb6cb3b9fad08a46b85997e605946b341638e74c744c3fa11efd3ed9010008e

Download Submit
\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
\Users\Admin\AppData\Local\Temp\snstnnoj\snstnnoj.dll

Filesize
332KB

MD5
1ed561899384bf22530cf843ddebdc5d

SHA1
44d73844fbe2225457d0f91f39e36c162ffc2a9f

SHA256
e26e8cb47f614fe6b4cc569752420064bd1c48c87be0f74355e5bc5afaea6b8c

SHA512
e3e6a4128d9f003c547e7c0bcdf2178a68431f8a2f858eb45388c95794111235ce6f65f162bf826d451de18f79440a47c2a32222e89f4b7eef4c8795e99c08e3

Download Submit
memory/108-72-0x0000000010000000-0x0000000010058000-memory.dmp

Filesize
352KB

Download
memory/108-78-0x0000000010000000-0x0000000010058000-memory.dmp

Filesize
352KB

Download
memory/324-77-0x0000000072660000-0x00000000726ED000-memory.dmp

Filesize
564KB

Download
memory/1492-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1492-71-0x0000000072660000-0x00000000726ED000-memory.dmp

Filesize
564KB

Download
memory/1492-74-0x0000000072660000-0x00000000726ED000-memory.dmp

Filesize
564KB

Download