6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

Analysis

max time kernel
156s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
Size

637KB
MD5

a3554f723c2a1340932c53bed5352110
SHA1

b9f184948c9ad804ad6912c32b3a8f146872eb91
SHA256

6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50
SHA512

d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7
SSDEEP

12288:2rEbA5SpqJCoh/TZAZuHF9h2yQ12h2uLJT3HDR/2brjUJJK:98TOZ89h2yQ1O2wt2brjUrK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1896	dpnshost.exe
1088	~6105.tmp
1604	dialentc.exe

Loads dropped DLL 3 IoCs

pid	Process
1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
1896	dpnshost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\labeutou = "C:\\Users\\Admin\\AppData\\Roaming\\bthuvert\\dpnshost.exe"	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dialentc.exe	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1896	dpnshost.exe
1408	Explorer.EXE
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe
1408	Explorer.EXE
1604	dialentc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1408	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
948	AcroRd32.exe
948	AcroRd32.exe
948	AcroRd32.exe
948	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1896	1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	27
PID 1672 wrote to memory of 1896	1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	27
PID 1672 wrote to memory of 1896	1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	27
PID 1672 wrote to memory of 1896	1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	27
PID 1896 wrote to memory of 1088	1896	dpnshost.exe	28
PID 1896 wrote to memory of 1088	1896	dpnshost.exe	28
PID 1896 wrote to memory of 1088	1896	dpnshost.exe	28
PID 1896 wrote to memory of 1088	1896	dpnshost.exe	28
PID 1088 wrote to memory of 1408	1088	~6105.tmp	14
PID 1672 wrote to memory of 948	1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	30
PID 1672 wrote to memory of 948	1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	30
PID 1672 wrote to memory of 948	1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	30
PID 1672 wrote to memory of 948	1672	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
- C:\Users\Admin\AppData\Local\Temp\6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
  "C:\Users\Admin\AppData\Local\Temp\6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe
    "C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\~6105.tmp
      "C:\Users\Admin\AppData\Local\Temp\~6105.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1088
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~6D64.tmp.pdf"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:948

C:\Windows\SysWOW64\dialentc.exe
C:\Windows\SysWOW64\dialentc.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6105.tmp

Filesize
6KB

MD5
954180776d3d07deb985f612be9ea895

SHA1
3db48020919dd35717bf88bd3c164f0652aba20e

SHA256
52944b7fdd7d525c95d5fd77e7b79a1900b515223524bd62014ba95062c785d2

SHA512
6d9c7fa44c25d276a2dfd3b1acf1f153553fedd840a5b49baa842aa61d44b4a6643bf661f064662c6195ce42e472505e4aad1f6b0f82da4a4af01e80e6bcb3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6D64.tmp.pdf

Filesize
336KB

MD5
db089ea9084f8fccc7cfb0a064be7dc6

SHA1
9831a0f6c56277563fdbb34ec28fcd6655a0cb9c

SHA256
b1fabddbd4781e19f8299e88b18eb3b27285b491db188d31722031e3afe063be

SHA512
873d7c6397a34c16dd1a9ba5c0623c838717985ac77c49f88d2209882001305a9bb7930983e2a7d1ce7aaa8b18e6e20a6330040da392c6be3ff4adb99935700b

Download Submit
C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe

Filesize
172KB

MD5
ffd27be93a8c1f9467f0019882922ae7

SHA1
edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd

SHA256
0741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41

SHA512
9fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911

Download Submit
C:\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe

Filesize
172KB

MD5
ffd27be93a8c1f9467f0019882922ae7

SHA1
edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd

SHA256
0741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41

SHA512
9fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911

Download Submit
C:\Windows\SysWOW64\dialentc.exe

Filesize
637KB

MD5
a3554f723c2a1340932c53bed5352110

SHA1
b9f184948c9ad804ad6912c32b3a8f146872eb91

SHA256
6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

SHA512
d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7

Download Submit
C:\Windows\SysWOW64\dialentc.exe

Filesize
637KB

MD5
a3554f723c2a1340932c53bed5352110

SHA1
b9f184948c9ad804ad6912c32b3a8f146872eb91

SHA256
6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

SHA512
d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7

Download Submit
\Users\Admin\AppData\Local\Temp\~6105.tmp

Filesize
6KB

MD5
954180776d3d07deb985f612be9ea895

SHA1
3db48020919dd35717bf88bd3c164f0652aba20e

SHA256
52944b7fdd7d525c95d5fd77e7b79a1900b515223524bd62014ba95062c785d2

SHA512
6d9c7fa44c25d276a2dfd3b1acf1f153553fedd840a5b49baa842aa61d44b4a6643bf661f064662c6195ce42e472505e4aad1f6b0f82da4a4af01e80e6bcb3af

Download Submit
\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe

Filesize
172KB

MD5
ffd27be93a8c1f9467f0019882922ae7

SHA1
edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd

SHA256
0741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41

SHA512
9fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911

Download Submit
\Users\Admin\AppData\Roaming\bthuvert\dpnshost.exe

Filesize
172KB

MD5
ffd27be93a8c1f9467f0019882922ae7

SHA1
edd08d9e5a48f974ff34fb83b83d4aa5eb7b79dd

SHA256
0741ad6ea473b4d9f47570cdbea6f8a10ffb299ec3ef717e93892bbc1b48fc41

SHA512
9fd870260a69e30c185a74bc8143dc46186160221e5ca747a5d54e01b952784ae344e2c45028e849f7dae0678355487ff9299c8ad3041c1ad103425dbfef4911

Download Submit
memory/1408-65-0x0000000002650000-0x0000000002691000-memory.dmp

Filesize
260KB

Download
memory/1408-67-0x0000000002650000-0x0000000002691000-memory.dmp

Filesize
260KB

Download
memory/1604-71-0x0000000000540000-0x00000000005F2000-memory.dmp

Filesize
712KB

Download
memory/1672-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000000520000-0x00000000005D2000-memory.dmp

Filesize
712KB

Download