Overview

overview

8

Static

static

142ba96c31...45.dll

windows7-x64

8

142ba96c31...45.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    27s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2022, 23:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    142ba96c313233cead4ff8620bd977596a9992fa36729a357cc5a3c6116ccb45.dll

  • Size

    36KB

  • MD5

    570917fe7bc753119fa869d2e69c0918

  • SHA1

    c4509144b8e63cd92324fe7353abfd3bf32d4a13

  • SHA256

    142ba96c313233cead4ff8620bd977596a9992fa36729a357cc5a3c6116ccb45

  • SHA512

    11591403aff44da3cef9b8eac86feeb65df2158ce40dcb7cee502542e911a506beb5bc2fb2ae3e12b23bccc97a1f4d2d64672ec061e3e4c4ffb621d62b9137e0

  • SSDEEP

    384:DqgZzRc9yOYwLVy+kDguVSLrYvTttHk+aQv1pFw/O58DYl:DlackuVgrYLLEzs1XIOWE

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\142ba96c313233cead4ff8620bd977596a9992fa36729a357cc5a3c6116ccb45.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\142ba96c313233cead4ff8620bd977596a9992fa36729a357cc5a3c6116ccb45.dll,#1
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\a.reg
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\SysWOW64\regedit.exe
          "regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\a.reg"
          4⤵
          • Runs .reg file with regedit
          PID:944

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\a.reg
          Filesize

          152B

          MD5

          b100f5324ef74ded0b998e64d07a2e19

          SHA1

          40b0d7f51bf2dd8451f1b723d21355c471a5fa46

          SHA256

          3db613d24a75ae220891698c055e1c580a42e58564f568a0510db87581cc2042

          SHA512

          c12391bb37c334074f7d7e1257b6364fd5cbce848e0a8fe15b8326f54fd9568fe3baec58618c4334027a774a06a08ec249cb71db925c1f85feee6a3d3a816c04

          Download Submit

        • memory/1364-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

          Filesize

          8KB

          Download