dd10a6df4ab46a4fa29bb12d10baf0c6e1aabba66d19e28245839babcc8367e5

Analysis

max time kernel
190s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 20:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

message.txt .exe
Size

123KB
MD5

175567c1a7a88e2f72d685b0c5c4c78e
SHA1

510ed5f7b0863c4157dab467aee25f85e4c595a2
SHA256

d01bd452425f6b4a9ffbe73cfbd11514db7c3830780bd101d399805e99a24b27
SHA512

11ea1dfcf30f4602423ffc642d05a1a1658bde18592ecf4c7f34061b8ac009523bac8bc3ff1dccce5847bb305717c6cf56ffbdfa2fbbd9d025d0cbfb46de14a8
SSDEEP

3072:sBnFQRxo/m6WemO4g0gUon2A64d+YWH9+XEsPuCV/CAaRwEYPd:sZFQXo/f/4In2Due9uMM/CBwE8d

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4488	NetMeeting.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	message.txt .exe

Loads dropped DLL 3 IoCs

pid	Process
1984	rundll32.exe
1872	rundll32.exe
4644	message.txt .exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Hardware Profile = "C:\\Windows\\system32\\hxdef.exe"	message.txt .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe"	message.txt .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"	message.txt .exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runServices	message.txt .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\runServices\SystemTra = "C:\\Windows\\SysTra.EXE"	message.txt .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\Windows\\system32\\spollsv.exe"	NetMeeting.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	message.txt .exe
File opened (read-only)	\??\P:	message.txt .exe
File opened (read-only)	\??\R:	message.txt .exe
File opened (read-only)	\??\S:	message.txt .exe
File opened (read-only)	\??\H:	message.txt .exe
File opened (read-only)	\??\I:	message.txt .exe
File opened (read-only)	\??\J:	message.txt .exe
File opened (read-only)	\??\K:	message.txt .exe
File opened (read-only)	\??\X:	message.txt .exe
File opened (read-only)	\??\Y:	message.txt .exe
File opened (read-only)	\??\N:	message.txt .exe
File opened (read-only)	\??\T:	message.txt .exe
File opened (read-only)	\??\U:	message.txt .exe
File opened (read-only)	\??\W:	message.txt .exe
File opened (read-only)	\??\E:	message.txt .exe
File opened (read-only)	\??\V:	message.txt .exe
File opened (read-only)	\??\Q:	message.txt .exe
File opened (read-only)	\??\Z:	message.txt .exe
File opened (read-only)	\??\F:	message.txt .exe
File opened (read-only)	\??\G:	message.txt .exe
File opened (read-only)	\??\L:	message.txt .exe
File opened (read-only)	\??\M:	message.txt .exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ODBC16.dll	message.txt .exe
File opened for modification	C:\Windows\SysWOW64\spollsv.exe	NetMeeting.exe
File created	C:\Windows\SysWOW64\hxdef.exe	message.txt .exe
File created	C:\Windows\SysWOW64\IEXPLORE.EXE	message.txt .exe
File created	C:\Windows\SysWOW64\NetMeeting.exe	message.txt .exe
File created	C:\Windows\SysWOW64\msjdbc11.dll	message.txt .exe
File created	C:\Windows\SysWOW64\MSSIGN30.DLL	message.txt .exe
File created	C:\Windows\SysWOW64\spollsv.exe	NetMeeting.exe
File opened for modification	C:\Windows\SysWOW64\hxdef.exe	message.txt .exe
File created	C:\Windows\SysWOW64\RAVMOND.exe	message.txt .exe
File created	C:\Windows\SysWOW64\kernel66.dll	message.txt .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4532	4644	WerFault.exe	79
3120	4644	WerFault.exe	79

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4644	message.txt .exe
4644	message.txt .exe
1872	rundll32.exe
1872	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4488	NetMeeting.exe
4488	NetMeeting.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 5048	4644	message.txt .exe	80
PID 4644 wrote to memory of 5048	4644	message.txt .exe	80
PID 4644 wrote to memory of 5048	4644	message.txt .exe	80
PID 4644 wrote to memory of 4912	4644	message.txt .exe	82
PID 4644 wrote to memory of 4912	4644	message.txt .exe	82
PID 4644 wrote to memory of 4912	4644	message.txt .exe	82
PID 5048 wrote to memory of 2268	5048	net.exe	84
PID 5048 wrote to memory of 2268	5048	net.exe	84
PID 5048 wrote to memory of 2268	5048	net.exe	84
PID 4912 wrote to memory of 832	4912	net.exe	85
PID 4912 wrote to memory of 832	4912	net.exe	85
PID 4912 wrote to memory of 832	4912	net.exe	85
PID 4644 wrote to memory of 1068	4644	message.txt .exe	86
PID 4644 wrote to memory of 1068	4644	message.txt .exe	86
PID 4644 wrote to memory of 1068	4644	message.txt .exe	86
PID 1068 wrote to memory of 5024	1068	net.exe	88
PID 1068 wrote to memory of 5024	1068	net.exe	88
PID 1068 wrote to memory of 5024	1068	net.exe	88
PID 4644 wrote to memory of 1984	4644	message.txt .exe	93
PID 4644 wrote to memory of 1984	4644	message.txt .exe	93
PID 4644 wrote to memory of 1984	4644	message.txt .exe	93
PID 4644 wrote to memory of 4488	4644	message.txt .exe	92
PID 4644 wrote to memory of 4488	4644	message.txt .exe	92
PID 4644 wrote to memory of 4488	4644	message.txt .exe	92
PID 4644 wrote to memory of 1872	4644	message.txt .exe	91
PID 4644 wrote to memory of 1872	4644	message.txt .exe	91
PID 4644 wrote to memory of 1872	4644	message.txt .exe	91
PID 1872 wrote to memory of 4644	1872	rundll32.exe	79
PID 1872 wrote to memory of 4644	1872	rundll32.exe	79
PID 4644 wrote to memory of 4532	4644	message.txt .exe	96
PID 4644 wrote to memory of 4532	4644	message.txt .exe	96
PID 4644 wrote to memory of 4532	4644	message.txt .exe	96

C:\Users\Admin\AppData\Local\Temp\message.txt .exe
"C:\Users\Admin\AppData\Local\Temp\message.txt .exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec AntiVirus Client"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Client"
    3⤵
    PID:2268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Symantec AntiVirus Server"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Server"
    3⤵
    PID:832
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Rising Realtime Monitor Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Rising Realtime Monitor Service"
    3⤵
    PID:5024
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" ODBC16.dll ondll_reg
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- C:\Windows\SysWOW64\NetMeeting.exe
  "C:\Windows\System32\NetMeeting.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:4488
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" ODBC16.dll ondll_install
  2⤵
  - Loads dropped DLL
  PID:1984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 2212
  2⤵
  - Program crash
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 2212
  2⤵
  - Program crash
  PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4644 -ip 4644
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NetMeeting.exe

Filesize
60KB

MD5
068ab7aff165eaf4a6b5d1f5efc5779d

SHA1
73a804514776dfd459eeff5fe00a0d6fab0af268

SHA256
c0c8e4b525a79261a08fe87507f0c0e3bbe4b8f5e78c9a8d4b26bba4077d2708

SHA512
6053cd554427ebef13a7d405309b9ce3d675d81e389632e80b28bac7b0e1e7dc1913fee8dcfbc624ed091d62eeab51ad41d9124463548be9d32b8d33911b50ee

Download Submit
C:\Windows\SysWOW64\NetMeeting.exe

Filesize
60KB

MD5
068ab7aff165eaf4a6b5d1f5efc5779d

SHA1
73a804514776dfd459eeff5fe00a0d6fab0af268

SHA256
c0c8e4b525a79261a08fe87507f0c0e3bbe4b8f5e78c9a8d4b26bba4077d2708

SHA512
6053cd554427ebef13a7d405309b9ce3d675d81e389632e80b28bac7b0e1e7dc1913fee8dcfbc624ed091d62eeab51ad41d9124463548be9d32b8d33911b50ee

Download Submit
C:\Windows\SysWOW64\ODBC16.dll

Filesize
52KB

MD5
7d72bf5a3f74ddeb5a7a384a1f73be80

SHA1
2c7041e8b997996720772ed15ec5e978e3074795

SHA256
1e69e7b29420d2fc935664a76ee7015c53d8155c8d624258c30d4ed17a2bebff

SHA512
0652753b4fd5a1bad738b2299f00d0231c0a136c670278299e409624c6ed423ab66e0400814e20ffbbca87c75d60f1c893819c02cde372f99b584eba3d5c72d7

Download Submit
C:\Windows\SysWOW64\ODBC16.dll

Filesize
52KB

MD5
7d72bf5a3f74ddeb5a7a384a1f73be80

SHA1
2c7041e8b997996720772ed15ec5e978e3074795

SHA256
1e69e7b29420d2fc935664a76ee7015c53d8155c8d624258c30d4ed17a2bebff

SHA512
0652753b4fd5a1bad738b2299f00d0231c0a136c670278299e409624c6ed423ab66e0400814e20ffbbca87c75d60f1c893819c02cde372f99b584eba3d5c72d7

Download Submit
C:\Windows\SysWOW64\ODBC16.dll

Filesize
52KB

MD5
7d72bf5a3f74ddeb5a7a384a1f73be80

SHA1
2c7041e8b997996720772ed15ec5e978e3074795

SHA256
1e69e7b29420d2fc935664a76ee7015c53d8155c8d624258c30d4ed17a2bebff

SHA512
0652753b4fd5a1bad738b2299f00d0231c0a136c670278299e409624c6ed423ab66e0400814e20ffbbca87c75d60f1c893819c02cde372f99b584eba3d5c72d7

Download Submit
C:\Windows\SysWOW64\ODBC16.dll

Filesize
52KB

MD5
7d72bf5a3f74ddeb5a7a384a1f73be80

SHA1
2c7041e8b997996720772ed15ec5e978e3074795

SHA256
1e69e7b29420d2fc935664a76ee7015c53d8155c8d624258c30d4ed17a2bebff

SHA512
0652753b4fd5a1bad738b2299f00d0231c0a136c670278299e409624c6ed423ab66e0400814e20ffbbca87c75d60f1c893819c02cde372f99b584eba3d5c72d7

Download Submit
memory/1872-152-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4644-135-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4644-151-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/4644-153-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4644-155-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4644-156-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download