f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797

Analysis

max time kernel
163s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe
Size

341KB
MD5

6cadb955f78ae587d525ee714fc431d0
SHA1

23be952782126ed5f9a26223e1fba8dc5a5fda30
SHA256

f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797
SHA512

a3b1f64e1e4ae391eff08d5edd94e47dd3b8e60819819a102e8a06bc7baa4a86e55cd0c00b113b780d65abe9a86b4301048295b6352c73d972b16e5ba9aff515
SSDEEP

3072:/BI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikm6bm:/K5ArKjbAxXSaegUqGeGpBohMb

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1276	rdrlll32.exe
1292	~6A33.tmp
3296	shrpHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\colonger = "C:\\Users\\Admin\\AppData\\Roaming\\drivhelp\\rdrlll32.exe"	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shrpHost.exe	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1276	rdrlll32.exe
1276	rdrlll32.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE
3296	shrpHost.exe
3296	shrpHost.exe
3020	Explorer.EXE
3020	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3020	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 1276	2820	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe	83
PID 2820 wrote to memory of 1276	2820	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe	83
PID 2820 wrote to memory of 1276	2820	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe	83
PID 1276 wrote to memory of 1292	1276	rdrlll32.exe	84
PID 1276 wrote to memory of 1292	1276	rdrlll32.exe	84
PID 1292 wrote to memory of 3020	1292	~6A33.tmp	55
PID 2820 wrote to memory of 3096	2820	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe	86
PID 2820 wrote to memory of 3096	2820	f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3020
- C:\Users\Admin\AppData\Local\Temp\f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe
  "C:\Users\Admin\AppData\Local\Temp\f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Roaming\drivhelp\rdrlll32.exe
    "C:\Users\Admin\AppData\Roaming\drivhelp\rdrlll32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\~6A33.tmp
      "C:\Users\Admin\AppData\Local\Temp\~6A33.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1292
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~6BF8.tmp.doc" /o ""
    3⤵
    PID:3096

C:\Windows\SysWOW64\shrpHost.exe
C:\Windows\SysWOW64\shrpHost.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6A33.tmp

Filesize
6KB

MD5
e9b1fe1a7a5d605d6e8a963d60e40131

SHA1
c9c8395d3b161b3cc726ccd680f3078fb58700e4

SHA256
ef20bdab5e1fe08db8cd5ad46142c7a1a1bc57248cf2ae5b5cac1fae11ac23f2

SHA512
18754b1e3d3c4d28f9664c9922e933ad68502e55aec62a813fec2155f696559dc0b96dd405b7f98f5c7523e964492430c0cf53060a09011a8d649e5b13210bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6A33.tmp

Filesize
6KB

MD5
e9b1fe1a7a5d605d6e8a963d60e40131

SHA1
c9c8395d3b161b3cc726ccd680f3078fb58700e4

SHA256
ef20bdab5e1fe08db8cd5ad46142c7a1a1bc57248cf2ae5b5cac1fae11ac23f2

SHA512
18754b1e3d3c4d28f9664c9922e933ad68502e55aec62a813fec2155f696559dc0b96dd405b7f98f5c7523e964492430c0cf53060a09011a8d649e5b13210bbb

Download Submit
C:\Users\Admin\AppData\Roaming\drivhelp\rdrlll32.exe

Filesize
172KB

MD5
5002ee3ba6c271691843c7d9593ced98

SHA1
019511e02583612cff8eca60691050629718be62

SHA256
931825b0052e333149bef3dec554a5031e3a04b51c2fdf97b65f5a5db2c7ae39

SHA512
fd9253bd880b281f9af86754fd2d346b8060418f676db62338689ec857a97c0eec82b9343ccb36595c420e32ee42886aa584cb17361a6b1cc9d19cd62ef0febe

Download Submit
C:\Users\Admin\AppData\Roaming\drivhelp\rdrlll32.exe

Filesize
172KB

MD5
5002ee3ba6c271691843c7d9593ced98

SHA1
019511e02583612cff8eca60691050629718be62

SHA256
931825b0052e333149bef3dec554a5031e3a04b51c2fdf97b65f5a5db2c7ae39

SHA512
fd9253bd880b281f9af86754fd2d346b8060418f676db62338689ec857a97c0eec82b9343ccb36595c420e32ee42886aa584cb17361a6b1cc9d19cd62ef0febe

Download Submit
C:\Windows\SysWOW64\shrpHost.exe

Filesize
341KB

MD5
6cadb955f78ae587d525ee714fc431d0

SHA1
23be952782126ed5f9a26223e1fba8dc5a5fda30

SHA256
f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797

SHA512
a3b1f64e1e4ae391eff08d5edd94e47dd3b8e60819819a102e8a06bc7baa4a86e55cd0c00b113b780d65abe9a86b4301048295b6352c73d972b16e5ba9aff515

Download Submit
C:\Windows\SysWOW64\shrpHost.exe

Filesize
341KB

MD5
6cadb955f78ae587d525ee714fc431d0

SHA1
23be952782126ed5f9a26223e1fba8dc5a5fda30

SHA256
f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797

SHA512
a3b1f64e1e4ae391eff08d5edd94e47dd3b8e60819819a102e8a06bc7baa4a86e55cd0c00b113b780d65abe9a86b4301048295b6352c73d972b16e5ba9aff515

Download Submit
memory/2820-133-0x0000000000650000-0x00000000006B8000-memory.dmp

Filesize
416KB

Download
memory/2820-132-0x0000000000650000-0x00000000006B8000-memory.dmp

Filesize
416KB

Download
memory/3020-143-0x0000000002850000-0x0000000002891000-memory.dmp

Filesize
260KB

Download
memory/3096-145-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/3096-146-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/3096-147-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/3096-148-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/3096-149-0x00007FF99C110000-0x00007FF99C120000-memory.dmp

Filesize
64KB

Download
memory/3096-150-0x00007FF9997B0000-0x00007FF9997C0000-memory.dmp

Filesize
64KB

Download
memory/3296-142-0x0000000000900000-0x0000000000968000-memory.dmp

Filesize
416KB

Download