70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f

General

Target

70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
Size

120KB
MD5

00668f0deb99a2637b16440276129960
SHA1

1418e1115bb3b220537040b46b55e34e2b742054
SHA256

70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f
SHA512

051a534f0415f4780719b2a7e3d453f8becb1b92369eeabd65a8dbe3b8e5bac821e98e253a0f6c5424b4abc6d519425bb2a1f87de2ffbd00dd14d43a53e70b61
SSDEEP

1536:QgAj3mHyqEyyGwk4KTOGHcKhgnPZcHHTuipl/oUY3Fw:ryZyyupOYenPZcn3lgUY

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1088	system.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 1 IoCs

pid	Process
1672	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
File created	C:\Windows\SysWOW64\lbjiifaa.dll	system.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5024	sc.exe
3568	sc.exe
2484	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1672	Rundll32.exe
1672	Rundll32.exe
1672	Rundll32.exe
1672	Rundll32.exe
1672	Rundll32.exe
1672	Rundll32.exe
1672	Rundll32.exe
1672	Rundll32.exe
1672	Rundll32.exe
1672	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1088	5032	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	26
PID 5032 wrote to memory of 1088	5032	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	26
PID 5032 wrote to memory of 1088	5032	70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe	26
PID 1088 wrote to memory of 1672	1088	system.exe	84
PID 1088 wrote to memory of 1672	1088	system.exe	84
PID 1088 wrote to memory of 1672	1088	system.exe	84
PID 1672 wrote to memory of 2960	1672	Rundll32.exe	94
PID 1672 wrote to memory of 2960	1672	Rundll32.exe	94
PID 1672 wrote to memory of 2960	1672	Rundll32.exe	94
PID 1672 wrote to memory of 628	1672	Rundll32.exe	93
PID 1672 wrote to memory of 628	1672	Rundll32.exe	93
PID 1672 wrote to memory of 628	1672	Rundll32.exe	93
PID 1672 wrote to memory of 3568	1672	Rundll32.exe	91
PID 1672 wrote to memory of 3568	1672	Rundll32.exe	91
PID 1672 wrote to memory of 3568	1672	Rundll32.exe	91
PID 1672 wrote to memory of 5024	1672	Rundll32.exe	89
PID 1672 wrote to memory of 5024	1672	Rundll32.exe	89
PID 1672 wrote to memory of 5024	1672	Rundll32.exe	89
PID 2960 wrote to memory of 4200	2960	net.exe	88
PID 2960 wrote to memory of 4200	2960	net.exe	88
PID 2960 wrote to memory of 4200	2960	net.exe	88
PID 628 wrote to memory of 216	628	net.exe	87
PID 628 wrote to memory of 216	628	net.exe	87
PID 628 wrote to memory of 216	628	net.exe	87

C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
"C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\lbjiifaa.dll Exucute
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:5024
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:3568
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:628
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2960
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:2484
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\tekujfaa.dll Exucute
    3⤵
    PID:3616
- C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
  C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe
  2⤵
  PID:3892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
1⤵
PID:216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\70da95bde4d981eb2f6ed954ce886e9245893a62e887cc236cd919bc4bb16d3f.exe

Filesize
32KB

MD5
7c221f401a70639c9f7a21981ce4c498

SHA1
84f87b438dcccdaf44129b21c30bf841c9aeffa4

SHA256
f4a53ba5e370f112d6c227b74cfea8f8352cb1c9e83ccb5920151b3ee0aeff07

SHA512
f6e9c2f2c32ee7b960c595c6aa0a69e437067fa4d43f00d26ebe09fc22aa310dc836ac7635ab5cba6ce18782bccbc364f5dcbcd0882dad00c86276faa58fe7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D769.tmp

Filesize
482KB

MD5
96229ed2c17384cc86302cbba7a174e6

SHA1
f93390071d3861665a605cd93ad3a3e291d2ad2e

SHA256
fbd4288be1f63f05a4af45751bbf7344feb1794aa414ce269dca7f5dcf6ac278

SHA512
a6338d46d2a4a177edc807cae01d37942453a7daabb2c623da303c6a0d1d610ebb8421d36bca1f6bb25bfe212ad9cd16996b7de219d6d71d620fe891f3b5acd3

Download Submit
C:\Windows\SysWOW64\lbjiifaa.dll

Filesize
23KB

MD5
db84e8ae65065b6b002b39f8fb003c19

SHA1
40161ceb688c0ca45f300f22e137d6e7a0797aab

SHA256
1666113ea3bc09210ed7b2a2598d34d4502ba653769ca4a109ef09984b8f54a0

SHA512
f63151905371cc53e02134194f7c6318ea5f3363e3ba45af23470b16e6a93d77d02b428a62610b89efc2342e204b9304d35539bdcc0e5d78cb336fd19160489f

Download Submit
C:\Windows\SysWOW64\lbjiifaa.dll

Filesize
31KB

MD5
45eee28dae5a41a1b74c49fe97f410da

SHA1
97343ae2f7df8796703b1d021803745c31ceec31

SHA256
6830d13c1fbaa62c075f52495eb4ee3586997c6fde54d8f28b18da28c941dd4f

SHA512
d11dc2b16484fa200fa8d7258487c9a3c5bcd6c5d32ef77ed3f7b5d42597687044fe983393800bb7b1a0f812fb472ff020d91714d638d09bac1fda5745f8a550

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
28KB

MD5
c7135a4e4fde54cc6aee85e4c0edaf62

SHA1
0b8e9025979bb0d9484f0c9e7c375deb7ba02862

SHA256
1863f36e5d6e1ab386bd24c5bbc564b9918ae022c66ff1aa2fa4ad0d975ea883

SHA512
77a8d380fb9f55fa19973ee09707562c4d4d47dccecec115a9e2b91b97e32538808514d9850ca67338e20b33acb5be486b94ab7259e4d073dbe08890f79d9a68

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
15KB

MD5
9ca7e89270775731f4f8b6c638891032

SHA1
452724cac1d9b509fbc1d6add933eeb57acbefbb

SHA256
342128d5b4111a5c82d8849a7fb5c157b8c886b799326e7318f50781b288d662

SHA512
d381ceb1588fff1dca02414e16912c82c4e28196df363310ccbe593f6b3e4f6c9cbdb0bb9540934fdd20956f3683017f885edcb22485ae36d675f7c8c9258cdc

Download Submit
C:\Windows\SysWOW64\tekujfaa.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
C:\Windows\SysWOW64\tekujfaa.dll

Filesize
19KB

MD5
969035e2164bd07b46d7b35ea766f47d

SHA1
d1ae955cf7524d1d0d2af10be7cc63649e7bc520

SHA256
2bf16a3299ac282671c61c6d332f5680cf5dae9af499c513f4c9d07cd3a1c674

SHA512
160c91355fcd55d581748efa243ad374e00f85f39d98afce494bd13312ded6d6e2c2924e3bbd223e438a517eac7e8cc7ddab144fa76faf3765c7c07c5c777c53

Download Submit
memory/5032-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing