70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f

Analysis

max time kernel
150s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
Size

120KB
MD5

00668f0deb99a2637b16440276129960
SHA1

1418e1115bb3b220537040b46b55e34e2b742054
SHA256

70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f
SHA512

051a534f0415f4780719b2a7e3d453f8becb1b92369eeabd65a8dbe3b8e5bac821e98e253a0f6c5424b4abc6d519425bb2a1f87de2ffbd00dd14d43a53e70b61
SSDEEP

1536:QgAj3mHyqEyyGwk4KTOGHcKhgnPZcHHTuipl/oUY3Fw:ryZyyupOYenPZcn3lgUY

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	980	Rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
1228	system.exe
932	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 12 IoCs

pid	Process
1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
2044	Rundll32.exe
2044	Rundll32.exe
2044	Rundll32.exe
2044	Rundll32.exe
1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
980	Rundll32.exe
980	Rundll32.exe
980	Rundll32.exe
980	Rundll32.exe
980	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
File created	C:\Windows\SysWOW64\hrbhmw.dll	system.exe
File created	C:\Windows\SysWOW64\hhhhmw.dll	system.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
792	sc.exe
1144	sc.exe
1012	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2044	Rundll32.exe
2044	Rundll32.exe
2044	Rundll32.exe
2044	Rundll32.exe
2044	Rundll32.exe
980	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
932	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
932	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1228	1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	27
PID 1204 wrote to memory of 1228	1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	27
PID 1204 wrote to memory of 1228	1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	27
PID 1204 wrote to memory of 1228	1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	27
PID 1228 wrote to memory of 2044	1228	system.exe	28
PID 1228 wrote to memory of 2044	1228	system.exe	28
PID 1228 wrote to memory of 2044	1228	system.exe	28
PID 1228 wrote to memory of 2044	1228	system.exe	28
PID 1228 wrote to memory of 2044	1228	system.exe	28
PID 1228 wrote to memory of 2044	1228	system.exe	28
PID 1228 wrote to memory of 2044	1228	system.exe	28
PID 2044 wrote to memory of 580	2044	Rundll32.exe	29
PID 2044 wrote to memory of 580	2044	Rundll32.exe	29
PID 2044 wrote to memory of 580	2044	Rundll32.exe	29
PID 2044 wrote to memory of 580	2044	Rundll32.exe	29
PID 2044 wrote to memory of 1040	2044	Rundll32.exe	31
PID 2044 wrote to memory of 1040	2044	Rundll32.exe	31
PID 2044 wrote to memory of 1040	2044	Rundll32.exe	31
PID 2044 wrote to memory of 1040	2044	Rundll32.exe	31
PID 2044 wrote to memory of 792	2044	Rundll32.exe	33
PID 2044 wrote to memory of 792	2044	Rundll32.exe	33
PID 2044 wrote to memory of 792	2044	Rundll32.exe	33
PID 2044 wrote to memory of 792	2044	Rundll32.exe	33
PID 2044 wrote to memory of 1144	2044	Rundll32.exe	34
PID 2044 wrote to memory of 1144	2044	Rundll32.exe	34
PID 2044 wrote to memory of 1144	2044	Rundll32.exe	34
PID 2044 wrote to memory of 1144	2044	Rundll32.exe	34
PID 1040 wrote to memory of 1780	1040	net.exe	37
PID 1040 wrote to memory of 1780	1040	net.exe	37
PID 1040 wrote to memory of 1780	1040	net.exe	37
PID 1040 wrote to memory of 1780	1040	net.exe	37
PID 580 wrote to memory of 700	580	net.exe	38
PID 580 wrote to memory of 700	580	net.exe	38
PID 580 wrote to memory of 700	580	net.exe	38
PID 580 wrote to memory of 700	580	net.exe	38
PID 2044 wrote to memory of 1012	2044	Rundll32.exe	39
PID 2044 wrote to memory of 1012	2044	Rundll32.exe	39
PID 2044 wrote to memory of 1012	2044	Rundll32.exe	39
PID 2044 wrote to memory of 1012	2044	Rundll32.exe	39
PID 1228 wrote to memory of 980	1228	system.exe	41
PID 1228 wrote to memory of 980	1228	system.exe	41
PID 1228 wrote to memory of 980	1228	system.exe	41
PID 1228 wrote to memory of 980	1228	system.exe	41
PID 1228 wrote to memory of 980	1228	system.exe	41
PID 1228 wrote to memory of 980	1228	system.exe	41
PID 1228 wrote to memory of 980	1228	system.exe	41
PID 1204 wrote to memory of 932	1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	42
PID 1204 wrote to memory of 932	1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	42
PID 1204 wrote to memory of 932	1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	42
PID 1204 wrote to memory of 932	1204	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	42

C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
"C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\hrbhmw.dll Exucute
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:700
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:1780
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:792
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:1144
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:1012
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\hhhhmw.dll Exucute
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:980
- C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
  C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe

Filesize
32KB

MD5
7c221f401a70639c9f7a21981ce4c498

SHA1
84f87b438dcccdaf44129b21c30bf841c9aeffa4

SHA256
f4a53ba5e370f112d6c227b74cfea8f8352cb1c9e83ccb5920151b3ee0aeff07

SHA512
f6e9c2f2c32ee7b960c595c6aa0a69e437067fa4d43f00d26ebe09fc22aa310dc836ac7635ab5cba6ce18782bccbc364f5dcbcd0882dad00c86276faa58fe7e6

Download Submit
C:\Windows\SysWOW64\hhhhmw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
C:\Windows\SysWOW64\hrbhmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
074ddeb6196f0ddee8fa71afe5ae0cdd

SHA1
8282c6ae9242fee3bf09d24cfd74467145b60f87

SHA256
97e894a6f26506e609e12712fe45064e4eaaf531dcacf46a49fb8913367ada38

SHA512
346e349f1cdc00d30c187ee10f6247798bd9d2b8d3f296d308a4a3b0d75e3e8206c4af8bc59657540e9900141f149a59c964b44144ffc5aeb5abc77e60ea6634

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
074ddeb6196f0ddee8fa71afe5ae0cdd

SHA1
8282c6ae9242fee3bf09d24cfd74467145b60f87

SHA256
97e894a6f26506e609e12712fe45064e4eaaf531dcacf46a49fb8913367ada38

SHA512
346e349f1cdc00d30c187ee10f6247798bd9d2b8d3f296d308a4a3b0d75e3e8206c4af8bc59657540e9900141f149a59c964b44144ffc5aeb5abc77e60ea6634

Download Submit
\Users\Admin\AppData\Local\Temp\27DC.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe

Filesize
32KB

MD5
7c221f401a70639c9f7a21981ce4c498

SHA1
84f87b438dcccdaf44129b21c30bf841c9aeffa4

SHA256
f4a53ba5e370f112d6c227b74cfea8f8352cb1c9e83ccb5920151b3ee0aeff07

SHA512
f6e9c2f2c32ee7b960c595c6aa0a69e437067fa4d43f00d26ebe09fc22aa310dc836ac7635ab5cba6ce18782bccbc364f5dcbcd0882dad00c86276faa58fe7e6

Download Submit
\Windows\SysWOW64\hhhhmw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
\Windows\SysWOW64\hhhhmw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
\Windows\SysWOW64\hhhhmw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
\Windows\SysWOW64\hhhhmw.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
\Windows\SysWOW64\hrbhmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
\Windows\SysWOW64\hrbhmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
\Windows\SysWOW64\hrbhmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
\Windows\SysWOW64\hrbhmw.dll

Filesize
53KB

MD5
210995930b8b604e08ffa28b72be5cf6

SHA1
1f3a6bd70c7f5f51c56ce2cdedef93b37d3cc6fe

SHA256
f342192c746fdcb95168042d02f9f6d1e3a69633baa0ff58ad23e13b15be60ce

SHA512
e01cf7c25cd70878986de4e17e67df25430d07d7f91b7b8e8e042c8645e5bf944c8e8d22384038b4a08b1a53d95cfd05c3a95860e15670d42f9d79533eaa2711

Download Submit
\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
074ddeb6196f0ddee8fa71afe5ae0cdd

SHA1
8282c6ae9242fee3bf09d24cfd74467145b60f87

SHA256
97e894a6f26506e609e12712fe45064e4eaaf531dcacf46a49fb8913367ada38

SHA512
346e349f1cdc00d30c187ee10f6247798bd9d2b8d3f296d308a4a3b0d75e3e8206c4af8bc59657540e9900141f149a59c964b44144ffc5aeb5abc77e60ea6634

Download Submit
\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
074ddeb6196f0ddee8fa71afe5ae0cdd

SHA1
8282c6ae9242fee3bf09d24cfd74467145b60f87

SHA256
97e894a6f26506e609e12712fe45064e4eaaf531dcacf46a49fb8913367ada38

SHA512
346e349f1cdc00d30c187ee10f6247798bd9d2b8d3f296d308a4a3b0d75e3e8206c4af8bc59657540e9900141f149a59c964b44144ffc5aeb5abc77e60ea6634

Download Submit
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download