4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

General

Target

4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll
Size

204KB
MD5

80371305b7e024c580fe236f05ee03b0
SHA1

53866548687dad95bf09109b970f3b8487e25e63
SHA256

4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa
SHA512

0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34
SSDEEP

3072:iXJ7sOuqIjZypLh9lFMec2zRPPOeXZ5o2c1qxJqwMctgfdK+i8dBP2xyu:iXxMNy1h9rc2VP2P2sIqZcKhi8d

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
1	2040	rundll32.exe
2	2040	rundll32.exe
4	2040	rundll32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-56-0x0000000074700000-0x0000000074739000-memory.dmp	upx
behavioral1/memory/2036-59-0x0000000074700000-0x0000000074739000-memory.dmp	upx
behavioral1/memory/2040-64-0x00000000746C0000-0x00000000746F9000-memory.dmp	upx
behavioral1/memory/1284-71-0x00000000745C0000-0x00000000745F9000-memory.dmp	upx
behavioral1/memory/2040-75-0x00000000746C0000-0x00000000746F9000-memory.dmp	upx
behavioral1/memory/2040-76-0x00000000746C0000-0x00000000746F9000-memory.dmp	upx
behavioral1/memory/1284-77-0x00000000745C0000-0x00000000745F9000-memory.dmp	upx
behavioral1/memory/2036-78-0x0000000074700000-0x0000000074739000-memory.dmp	upx
behavioral1/memory/2040-79-0x00000000746C0000-0x00000000746F9000-memory.dmp	upx
behavioral1/memory/1284-80-0x00000000745C0000-0x00000000745F9000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
2040	rundll32.exe
1284	rundll32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~3\qmjrf08fl.jss	rundll32.exe
File created	C:\PROGRA~3\lf80frjmq.fee	rundll32.exe
File opened for modification	C:\PROGRA~3\lf80frjmq.fee	rundll32.exe
File created	C:\PROGRA~3\lf80frjmq.odd	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2036	2012	rundll32.exe	27
PID 2012 wrote to memory of 2036	2012	rundll32.exe	27
PID 2012 wrote to memory of 2036	2012	rundll32.exe	27
PID 2012 wrote to memory of 2036	2012	rundll32.exe	27
PID 2012 wrote to memory of 2036	2012	rundll32.exe	27
PID 2012 wrote to memory of 2036	2012	rundll32.exe	27
PID 2012 wrote to memory of 2036	2012	rundll32.exe	27
PID 2036 wrote to memory of 2040	2036	rundll32.exe	28
PID 2036 wrote to memory of 2040	2036	rundll32.exe	28
PID 2036 wrote to memory of 2040	2036	rundll32.exe	28
PID 2036 wrote to memory of 2040	2036	rundll32.exe	28
PID 2036 wrote to memory of 2040	2036	rundll32.exe	28
PID 2036 wrote to memory of 2040	2036	rundll32.exe	28
PID 2036 wrote to memory of 2040	2036	rundll32.exe	28
PID 2040 wrote to memory of 1284	2040	rundll32.exe	29
PID 2040 wrote to memory of 1284	2040	rundll32.exe	29
PID 2040 wrote to memory of 1284	2040	rundll32.exe	29
PID 2040 wrote to memory of 1284	2040	rundll32.exe	29
PID 2040 wrote to memory of 1284	2040	rundll32.exe	29
PID 2040 wrote to memory of 1284	2040	rundll32.exe	29
PID 2040 wrote to memory of 1284	2040	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\qmjrf08fl.jss,CCZ0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\qmjrf08fl.jss,CCZ4
      4⤵
      Loads dropped DLL
      PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\lf80frjmq.fee

Filesize
90.6MB

MD5
c5296f5fd56cce21c4bb28619c7d1de3

SHA1
13fc74466c6a72067ba62647d994f74c66155783

SHA256
30463a9f829a976a5e275835c135bb0d7f63f3704150b7418cb2abe479e57df9

SHA512
f7b1e0656cadb2c04c373fc6e61de8b1eef4be96063e0b106438818130849d7a84c59293bc263922c5b34f85170794a87d034e496475315333c3dfc9581a5912

Download Submit
C:\PROGRA~3\qmjrf08fl.jss

Filesize
204KB

MD5
80371305b7e024c580fe236f05ee03b0

SHA1
53866548687dad95bf09109b970f3b8487e25e63

SHA256
4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

SHA512
0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmjrf08fl.jss

Filesize
204KB

MD5
80371305b7e024c580fe236f05ee03b0

SHA1
53866548687dad95bf09109b970f3b8487e25e63

SHA256
4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

SHA512
0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

Download Submit
\PROGRA~3\qmjrf08fl.jss

Filesize
204KB

MD5
80371305b7e024c580fe236f05ee03b0

SHA1
53866548687dad95bf09109b970f3b8487e25e63

SHA256
4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

SHA512
0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

Download Submit
\Users\Admin\AppData\Local\Temp\qmjrf08fl.jss

Filesize
204KB

MD5
80371305b7e024c580fe236f05ee03b0

SHA1
53866548687dad95bf09109b970f3b8487e25e63

SHA256
4b6a1e80d3a32f2e29a0a715973e25fd8653a2147fa396f3723101edcfb83faa

SHA512
0f9ba38d6eb5a260a39a9ca6c823ead3de95cd2795ca67b350e4bd9af214be5fbdb8c381ad6c84cf627295c3eb35c2e9e7e039d8a65744139510743941e8ad34

Download Submit
memory/1284-71-0x00000000745C0000-0x00000000745F9000-memory.dmp

Filesize
228KB

Download
memory/1284-80-0x00000000745C0000-0x00000000745F9000-memory.dmp

Filesize
228KB

Download
memory/1284-77-0x00000000745C0000-0x00000000745F9000-memory.dmp

Filesize
228KB

Download
memory/2036-59-0x0000000074700000-0x0000000074739000-memory.dmp

Filesize
228KB

Download
memory/2036-56-0x0000000074700000-0x0000000074739000-memory.dmp

Filesize
228KB

Download
memory/2036-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2036-78-0x0000000074700000-0x0000000074739000-memory.dmp

Filesize
228KB

Download
memory/2040-75-0x00000000746C0000-0x00000000746F9000-memory.dmp

Filesize
228KB

Download
memory/2040-76-0x00000000746C0000-0x00000000746F9000-memory.dmp

Filesize
228KB

Download
memory/2040-79-0x00000000746C0000-0x00000000746F9000-memory.dmp

Filesize
228KB

Download
memory/2040-64-0x00000000746C0000-0x00000000746F9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing