Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 08:44
Static task
static1
Behavioral task
behavioral1
Sample
6505bfcf8a1972b30174ab42749aa055869b0f4159bb05d999a80bccdfc0033e.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
6505bfcf8a1972b30174ab42749aa055869b0f4159bb05d999a80bccdfc0033e.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
6505bfcf8a1972b30174ab42749aa055869b0f4159bb05d999a80bccdfc0033e.dll
-
Size
100KB
-
MD5
8133ad4d9f81486b56a7a1eefca3a760
-
SHA1
21eb74f23a000c0b8597adb06b9ca43d1f24b462
-
SHA256
6505bfcf8a1972b30174ab42749aa055869b0f4159bb05d999a80bccdfc0033e
-
SHA512
0f8e891989d6adcce20241f63e812aa21d4d468d294ae25d0346d9960e60bdc1ffb8748f928617909b68b179864a9c8d8b4d5e88230a4b1c4de26ff8bd009f99
-
SSDEEP
3072:064bWS0eSt/+6ZXppw2k2veF2hs9JxXh:06UWRcOE2kT2hS
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters\ServiceDll = "C:\\PROGRA~3\\81A51082E46F6AF3443D9C7D56C3FA44\\zjwg7mqrj.dot" rundll32.exe -
resource yara_rule behavioral1/memory/1064-56-0x000000000B000000-0x000000000B023000-memory.dmp upx behavioral1/memory/1064-59-0x000000000B000000-0x000000000B023000-memory.dmp upx behavioral1/memory/1064-60-0x000000000B000000-0x000000000B023000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\81A51082E46F6AF3443D9C7D56C3FA44\jrqm7gwjz.cpp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1064 1032 rundll32.exe 28 PID 1032 wrote to memory of 1064 1032 rundll32.exe 28 PID 1032 wrote to memory of 1064 1032 rundll32.exe 28 PID 1032 wrote to memory of 1064 1032 rundll32.exe 28 PID 1032 wrote to memory of 1064 1032 rundll32.exe 28 PID 1032 wrote to memory of 1064 1032 rundll32.exe 28 PID 1032 wrote to memory of 1064 1032 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6505bfcf8a1972b30174ab42749aa055869b0f4159bb05d999a80bccdfc0033e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6505bfcf8a1972b30174ab42749aa055869b0f4159bb05d999a80bccdfc0033e.dll,#12⤵
- Sets DLL path for service in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1064
-