Overview

overview

8

Static

static

12f67bc360...f6.dll

windows7-x64

8

12f67bc360...f6.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2022 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6.dll

  • Size

    62KB

  • MD5

    7778309ac53566c636ccddebeb2116d0

  • SHA1

    b685a2dc2c1c918251710fd681062c3d77e28e7d

  • SHA256

    12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6

  • SHA512

    b89b6f9de7473ee5d8914805b337c682541ba9fcb163e381ae1ab17be1f417187ccbe46d8419d1c9579b1b47107ad01011b6fa69173f2467ec4fca727e8841a4

  • SSDEEP

    1536:GnNBbq4+CSvXceTPa0T6iN7X8Nek/8FKevXlS:+Dm4+CKMtO6iNMt8FvX

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cs16r2.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4092
        • C:\Windows\SysWOW64\taskkill.exe
          TASKKILL /FI "STATUS eq RUNNING" /IM "rundll32.exe" /F
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3564
        • C:\Windows\SysWOW64\taskkill.exe
          TASKKILL /FI "STATUS eq NOT RESPONDING" /IM "rundll32.exe" /F
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4172
        • C:\Windows\SysWOW64\taskkill.exe
          TASKKILL /FI "STATUS eq UNKNOWN" /IM "rundll32.exe" /F
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
        • C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe
          CS16Launcher.exe
          4⤵
          • Executes dropped EXE
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe
    Filesize

    2.3MB

    MD5

    1875f43c02db112f5a532fd49d37394a

    SHA1

    bec20bed918ffc6f667d670ff784d1872744af3b

    SHA256

    6ff69a1927b142cac353f444e00def83ee06fbcf078409b4e7667543f386fb7a

    SHA512

    54b8fcd44dfd7597649f7a95fc3a4a166ff865101746bca6200a2d4953e8418eeb512d7e476f9eeb0b4ad601097c0f9d3c8cd563a6ffa753d4692e8a1b5b6519

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe
    Filesize

    2.3MB

    MD5

    1875f43c02db112f5a532fd49d37394a

    SHA1

    bec20bed918ffc6f667d670ff784d1872744af3b

    SHA256

    6ff69a1927b142cac353f444e00def83ee06fbcf078409b4e7667543f386fb7a

    SHA512

    54b8fcd44dfd7597649f7a95fc3a4a166ff865101746bca6200a2d4953e8418eeb512d7e476f9eeb0b4ad601097c0f9d3c8cd563a6ffa753d4692e8a1b5b6519

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cs16r2.bat
    Filesize

    991B

    MD5

    f0cb13b3a1891b5637b27a30b267c211

    SHA1

    2b819d5a84e447f6b8ca6ad5da846e81d7ef15bb

    SHA256

    5a4c82f579ce4938ac5eb41962315a2d91be3417ff7e7720abacff227ff99a8b

    SHA512

    add983bdce8fb79521efd72bdc6fac34c979215ed40e05ce162dc5d039a0a548eea920a6bc4890601e89882c38a5fd84efefcaa8b28c75f3ba9bc31cb49e2665

    Download Submit