664459f2fff6fb67fd71fb5f034b8196eecc64846af99f54bee072ee4a2f9ac4

Analysis

max time kernel
91s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664459f2fff6fb67fd71fb5f034b8196eecc64846af99f54bee072ee4a2f9ac4.exe
Size

112KB
MD5

96653f486e280cc3a747792a9768da8d
SHA1

ba4338ea3cf336c18a6f6d0bfd4bef9cb87682d6
SHA256

664459f2fff6fb67fd71fb5f034b8196eecc64846af99f54bee072ee4a2f9ac4
SHA512

510f0d2a734ad0aeb7522741dadd70ce2658c48b4cb1797228a52e92cfa342372c7155bbd2899eceb707a05d49466c14da473280b983166f2cc440fa8ccd6395
SSDEEP

3072:/hizgwyT3BJNMW2m2Xg/aN2n2tFdCd73W6v7sxkM:JJ3uW2gJ2H0w6Y2M

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4940	rundll32.exe
4968	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HpNetNotifier = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\odbcNetdrm\\HpNetNotifier.dll\",BluetoothMobileaudio Syncmaplog"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4940	2808	664459f2fff6fb67fd71fb5f034b8196eecc64846af99f54bee072ee4a2f9ac4.exe	82
PID 2808 wrote to memory of 4940	2808	664459f2fff6fb67fd71fb5f034b8196eecc64846af99f54bee072ee4a2f9ac4.exe	82
PID 2808 wrote to memory of 4940	2808	664459f2fff6fb67fd71fb5f034b8196eecc64846af99f54bee072ee4a2f9ac4.exe	82
PID 4940 wrote to memory of 4968	4940	rundll32.exe	83
PID 4940 wrote to memory of 4968	4940	rundll32.exe	83
PID 4940 wrote to memory of 4968	4940	rundll32.exe	83

C:\Users\Admin\AppData\Local\Temp\664459f2fff6fb67fd71fb5f034b8196eecc64846af99f54bee072ee4a2f9ac4.exe
"C:\Users\Admin\AppData\Local\Temp\664459f2fff6fb67fd71fb5f034b8196eecc64846af99f54bee072ee4a2f9ac4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\i18objlink.dll", BluetoothMobileaudio rasUserppm
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\odbcNetdrm\HpNetNotifier.dll",BluetoothMobileaudio Syncmaplog
    3⤵
    - Loads dropped DLL
    PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i18objlink.dll

Filesize
124KB

MD5
41e46e2ca8ca95ccb25d5b9508afe67f

SHA1
7342929b82b3556950d02a55c231f3f7749af1e3

SHA256
0ad25ef3c0fac4991f173ef473863f5f5a3dedf07937c06d2940e016d2e272d5

SHA512
5485dc9d3d9f5987952751dbd5d638d75cecf175bf8b7c0651655b976a50960be4022fb45d70a23ec1a413065560f092cef2d922d8331a41867875eec0ea4314

Download Submit
C:\Users\Admin\AppData\Local\Temp\i18objlink.dll

Filesize
124KB

MD5
41e46e2ca8ca95ccb25d5b9508afe67f

SHA1
7342929b82b3556950d02a55c231f3f7749af1e3

SHA256
0ad25ef3c0fac4991f173ef473863f5f5a3dedf07937c06d2940e016d2e272d5

SHA512
5485dc9d3d9f5987952751dbd5d638d75cecf175bf8b7c0651655b976a50960be4022fb45d70a23ec1a413065560f092cef2d922d8331a41867875eec0ea4314

Download Submit
C:\Users\Admin\AppData\Local\odbcNetdrm\HpNetNotifier.dll

Filesize
124KB

MD5
41e46e2ca8ca95ccb25d5b9508afe67f

SHA1
7342929b82b3556950d02a55c231f3f7749af1e3

SHA256
0ad25ef3c0fac4991f173ef473863f5f5a3dedf07937c06d2940e016d2e272d5

SHA512
5485dc9d3d9f5987952751dbd5d638d75cecf175bf8b7c0651655b976a50960be4022fb45d70a23ec1a413065560f092cef2d922d8331a41867875eec0ea4314

Download Submit
C:\Users\Admin\AppData\Local\odbcNetdrm\HpNetNotifier.dll

Filesize
124KB

MD5
41e46e2ca8ca95ccb25d5b9508afe67f

SHA1
7342929b82b3556950d02a55c231f3f7749af1e3

SHA256
0ad25ef3c0fac4991f173ef473863f5f5a3dedf07937c06d2940e016d2e272d5

SHA512
5485dc9d3d9f5987952751dbd5d638d75cecf175bf8b7c0651655b976a50960be4022fb45d70a23ec1a413065560f092cef2d922d8331a41867875eec0ea4314

Download Submit
memory/4940-132-0x0000000000000000-mapping.dmp

Download
memory/4968-135-0x0000000000000000-mapping.dmp

Download