Overview

overview

8

Static

static

241b9c7426...68.dll

windows7-x64

8

241b9c7426...68.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    171s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    241b9c7426df548d406b611d6bbc5ac5705db2314a2f7d12ae922081be15a868.dll

  • Size

    152KB

  • MD5

    357001f891abed68128317611aeccdf2

  • SHA1

    21c0f644342eac0b8d05b10bc965b0f72603318a

  • SHA256

    241b9c7426df548d406b611d6bbc5ac5705db2314a2f7d12ae922081be15a868

  • SHA512

    05b30beed2a2bb78e731e82b754ec075e16e10440decd5ba7197464a1795e101b592e4d9be6bf8261b01105f40f04b9e8dcd0e09fa702b0262edaa9dca42cde4

  • SSDEEP

    3072:+EgcnyjOwx2T0x8s1rJZNseTX6NwoFgWClXxM4:1zGF00isnoeWm0C5l

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\241b9c7426df548d406b611d6bbc5ac5705db2314a2f7d12ae922081be15a868.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\241b9c7426df548d406b611d6bbc5ac5705db2314a2f7d12ae922081be15a868.dll,#1
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\PROGRA~3\gfg9lwh.plz,GL300
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3236
        • C:\Windows\SysWOW64\regedit.exe
          C:\Windows\regedit.exe -s C:\PROGRA~3\hwl9gfg.reg
          4⤵
          • Sets DLL path for service in the registry
          • Runs .reg file with regedit
          PID:760
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39db055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\gfg9lwh.plz
    Filesize

    152KB

    MD5

    357001f891abed68128317611aeccdf2

    SHA1

    21c0f644342eac0b8d05b10bc965b0f72603318a

    SHA256

    241b9c7426df548d406b611d6bbc5ac5705db2314a2f7d12ae922081be15a868

    SHA512

    05b30beed2a2bb78e731e82b754ec075e16e10440decd5ba7197464a1795e101b592e4d9be6bf8261b01105f40f04b9e8dcd0e09fa702b0262edaa9dca42cde4

    Download Submit

  • C:\ProgramData\gfg9lwh.plz
    Filesize

    152KB

    MD5

    357001f891abed68128317611aeccdf2

    SHA1

    21c0f644342eac0b8d05b10bc965b0f72603318a

    SHA256

    241b9c7426df548d406b611d6bbc5ac5705db2314a2f7d12ae922081be15a868

    SHA512

    05b30beed2a2bb78e731e82b754ec075e16e10440decd5ba7197464a1795e101b592e4d9be6bf8261b01105f40f04b9e8dcd0e09fa702b0262edaa9dca42cde4

    Download Submit

  • C:\ProgramData\hwl9gfg.reg
    Filesize

    279B

    MD5

    ac21ce32a04e8577c2befe9fe2c20009

    SHA1

    2623d8954f8b4846fee32eefb72fe72c6fd37c82

    SHA256

    e6609d5b141d4701411a60747d9a2894ebbc7a0d2e4c9b7173302651825fdf69

    SHA512

    4214362d034119b955426b27e34911835e9e6c12a6ae10d1da666a4e3f5e41e97d8bbd04ca61d4070fa6e33b4476e41b7360f4483ffc01b853e7458605558677

    Download Submit

  • memory/3236-140-0x00000000754E0000-0x000000007550B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3236-143-0x00000000754E0000-0x000000007550B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3236-144-0x00000000754E0000-0x000000007550B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3236-147-0x00000000754E0000-0x000000007550B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3544-133-0x0000000075520000-0x000000007554B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/3544-138-0x0000000075520000-0x000000007554B000-memory.dmp

    Filesize

    172KB

    Download