Analysis
-
max time kernel
148s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 18:39
Behavioral task
behavioral1
Sample
9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44.dll
Resource
win10v2004-20220901-en
General
-
Target
9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44.dll
-
Size
769KB
-
MD5
6f600974c45eec97016c1259e769a4ef
-
SHA1
56eed20ea731d28d621723130518ac00bf50170d
-
SHA256
9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44
-
SHA512
468c84bf4f5324c4a87c7bc79b2a4c878893d4ede3691f2c3a779c718da20601b13fd79474acb6004b6f58bb2e21fbd70a1698e6bc7bbe43635e8be727f149fd
-
SSDEEP
12288:DPjiD91nFoMWpWgjltgTg490dJ5NAdYlY97rvlaOCTLfXt:DeciYFU8OAX
Malware Config
Signatures
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1960 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1592 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1592 AUDIODG.EXE Token: 33 1592 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1592 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 864 wrote to memory of 1608 864 regsvr32.exe regsvr32.exe PID 864 wrote to memory of 1608 864 regsvr32.exe regsvr32.exe PID 864 wrote to memory of 1608 864 regsvr32.exe regsvr32.exe PID 864 wrote to memory of 1608 864 regsvr32.exe regsvr32.exe PID 864 wrote to memory of 1608 864 regsvr32.exe regsvr32.exe PID 864 wrote to memory of 1608 864 regsvr32.exe regsvr32.exe PID 864 wrote to memory of 1608 864 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44.dll2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2381⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SetResolve.ps1xml1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/864-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmpFilesize
8KB
-
memory/1608-55-0x0000000000000000-mapping.dmp
-
memory/1608-56-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/1608-60-0x0000000000220000-0x000000000025F000-memory.dmpFilesize
252KB
-
memory/1608-63-0x0000000000220000-0x00000000002A0000-memory.dmpFilesize
512KB
-
memory/1608-64-0x0000000000220000-0x00000000002A0000-memory.dmpFilesize
512KB