0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

General

Target

0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c.dll
Size

204KB
MD5

6e9024dd2970cdf05368e34f1097289f
SHA1

d5d646c5787e6ca1b07656f254daaab130da7747
SHA256

0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c
SHA512

a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c
SSDEEP

3072:6FjQwsuxxLvqVftnQZQhp7yTzlMecI+XZ5oGc1qxJqwMclgfdK+i8dBPmxSOF:6ZQwlxJCVZmAel/cIPGsIqZcShi8dM

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	1992	rundll32.exe
2	1992	rundll32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/980-56-0x0000000075270000-0x00000000752A8000-memory.dmp	upx
behavioral1/memory/980-59-0x0000000075270000-0x00000000752A8000-memory.dmp	upx
behavioral1/memory/1992-64-0x0000000075230000-0x0000000075268000-memory.dmp	upx
behavioral1/memory/1204-71-0x0000000075130000-0x0000000075168000-memory.dmp	upx
behavioral1/memory/1992-75-0x0000000075230000-0x0000000075268000-memory.dmp	upx
behavioral1/memory/1204-77-0x0000000075130000-0x0000000075168000-memory.dmp	upx
behavioral1/memory/1992-76-0x0000000075230000-0x0000000075268000-memory.dmp	upx
behavioral1/memory/980-78-0x0000000075270000-0x00000000752A8000-memory.dmp	upx
behavioral1/memory/1992-79-0x0000000075230000-0x0000000075268000-memory.dmp	upx
behavioral1/memory/1204-80-0x0000000075130000-0x0000000075168000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1992	rundll32.exe
1204	rundll32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~3\ett1tz8.jss	rundll32.exe
File created	C:\PROGRA~3\8zt1tte.fee	rundll32.exe
File opened for modification	C:\PROGRA~3\8zt1tte.fee	rundll32.exe
File created	C:\PROGRA~3\8zt1tte.odd	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 980	2024	rundll32.exe	27
PID 2024 wrote to memory of 980	2024	rundll32.exe	27
PID 2024 wrote to memory of 980	2024	rundll32.exe	27
PID 2024 wrote to memory of 980	2024	rundll32.exe	27
PID 2024 wrote to memory of 980	2024	rundll32.exe	27
PID 2024 wrote to memory of 980	2024	rundll32.exe	27
PID 2024 wrote to memory of 980	2024	rundll32.exe	27
PID 980 wrote to memory of 1992	980	rundll32.exe	28
PID 980 wrote to memory of 1992	980	rundll32.exe	28
PID 980 wrote to memory of 1992	980	rundll32.exe	28
PID 980 wrote to memory of 1992	980	rundll32.exe	28
PID 980 wrote to memory of 1992	980	rundll32.exe	28
PID 980 wrote to memory of 1992	980	rundll32.exe	28
PID 980 wrote to memory of 1992	980	rundll32.exe	28
PID 1992 wrote to memory of 1204	1992	rundll32.exe	29
PID 1992 wrote to memory of 1204	1992	rundll32.exe	29
PID 1992 wrote to memory of 1204	1992	rundll32.exe	29
PID 1992 wrote to memory of 1204	1992	rundll32.exe	29
PID 1992 wrote to memory of 1204	1992	rundll32.exe	29
PID 1992 wrote to memory of 1204	1992	rundll32.exe	29
PID 1992 wrote to memory of 1204	1992	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\ett1tz8.jss,CCZ0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ett1tz8.jss,CCZ4
      4⤵
      Loads dropped DLL
      PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\8zt1tte.fee

Filesize
90.6MB

MD5
a3709399a2a2416699b1e1471949bcbb

SHA1
cab14bb836d592355db17e1e5a3fffaa919b4d57

SHA256
b19d0e2dbdb56cdea3e43a99fc379f8d87f24dc67bb41e168d53b131e153f4bb

SHA512
5618ed92f83b27183766d82a1e1786472e9822bcb7e81e96f6f6feac141d47c0ff9d97fe65da112fd99541232f8617964d076c1a70deac9400e021d6e5c4e1d9

Download Submit
C:\PROGRA~3\ett1tz8.jss

Filesize
204KB

MD5
6e9024dd2970cdf05368e34f1097289f

SHA1
d5d646c5787e6ca1b07656f254daaab130da7747

SHA256
0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

SHA512
a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ett1tz8.jss

Filesize
204KB

MD5
6e9024dd2970cdf05368e34f1097289f

SHA1
d5d646c5787e6ca1b07656f254daaab130da7747

SHA256
0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

SHA512
a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c

Download Submit
\PROGRA~3\ett1tz8.jss

Filesize
204KB

MD5
6e9024dd2970cdf05368e34f1097289f

SHA1
d5d646c5787e6ca1b07656f254daaab130da7747

SHA256
0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

SHA512
a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c

Download Submit
\Users\Admin\AppData\Local\Temp\ett1tz8.jss

Filesize
204KB

MD5
6e9024dd2970cdf05368e34f1097289f

SHA1
d5d646c5787e6ca1b07656f254daaab130da7747

SHA256
0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

SHA512
a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c

Download Submit
memory/980-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/980-56-0x0000000075270000-0x00000000752A8000-memory.dmp

Filesize
224KB

Download
memory/980-59-0x0000000075270000-0x00000000752A8000-memory.dmp

Filesize
224KB

Download
memory/980-78-0x0000000075270000-0x00000000752A8000-memory.dmp

Filesize
224KB

Download
memory/1204-71-0x0000000075130000-0x0000000075168000-memory.dmp

Filesize
224KB

Download
memory/1204-77-0x0000000075130000-0x0000000075168000-memory.dmp

Filesize
224KB

Download
memory/1204-80-0x0000000075130000-0x0000000075168000-memory.dmp

Filesize
224KB

Download
memory/1992-64-0x0000000075230000-0x0000000075268000-memory.dmp

Filesize
224KB

Download
memory/1992-75-0x0000000075230000-0x0000000075268000-memory.dmp

Filesize
224KB

Download
memory/1992-76-0x0000000075230000-0x0000000075268000-memory.dmp

Filesize
224KB

Download
memory/1992-79-0x0000000075230000-0x0000000075268000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing