dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 18:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe
Size

128KB
MD5

82159ab16b9834722ab2c926215c8783
SHA1

187df49c5079d58f092edad06eb84805c94bd3b5
SHA256

dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513
SHA512

02ac0f2adfa6787073d8b29b85f28e1c3bbb8261c464d2e11d535f2d9199669c26ec98bc4c378e18c1384e0bebb0ee3b44734664d635c7ca6315b57b5c1e9658
SSDEEP

1536:lh807/tUUPbIiCsKDe3HfHYIOyOWW7Eu7s02rd9cqCmh6DY5atOXPQs:lhZ7/CsKakEu7s0SJVb

Score

8^/10

evasion persistence

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
3476	Rundll32.exe
2360	dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pxqbjfaa.dll	dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1516	sc.exe
920	sc.exe
616	sc.exe
3552	sc.exe
5016	sc.exe
4640	sc.exe
3160	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	2360	WerFault.exe	77

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe
3476	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3476	2360	dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe	78
PID 2360 wrote to memory of 3476	2360	dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe	78
PID 2360 wrote to memory of 3476	2360	dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe	78
PID 3476 wrote to memory of 3248	3476	Rundll32.exe	79
PID 3476 wrote to memory of 3248	3476	Rundll32.exe	79
PID 3476 wrote to memory of 3248	3476	Rundll32.exe	79
PID 3476 wrote to memory of 660	3476	Rundll32.exe	80
PID 3476 wrote to memory of 660	3476	Rundll32.exe	80
PID 3476 wrote to memory of 660	3476	Rundll32.exe	80
PID 3476 wrote to memory of 3552	3476	Rundll32.exe	83
PID 3476 wrote to memory of 3552	3476	Rundll32.exe	83
PID 3476 wrote to memory of 3552	3476	Rundll32.exe	83
PID 3476 wrote to memory of 5016	3476	Rundll32.exe	86
PID 3476 wrote to memory of 5016	3476	Rundll32.exe	86
PID 3476 wrote to memory of 5016	3476	Rundll32.exe	86
PID 3476 wrote to memory of 4640	3476	Rundll32.exe	87
PID 3476 wrote to memory of 4640	3476	Rundll32.exe	87
PID 3476 wrote to memory of 4640	3476	Rundll32.exe	87
PID 3476 wrote to memory of 3160	3476	Rundll32.exe	88
PID 3476 wrote to memory of 3160	3476	Rundll32.exe	88
PID 3476 wrote to memory of 3160	3476	Rundll32.exe	88
PID 3476 wrote to memory of 920	3476	Rundll32.exe	93
PID 3476 wrote to memory of 920	3476	Rundll32.exe	93
PID 3476 wrote to memory of 920	3476	Rundll32.exe	93
PID 3476 wrote to memory of 1516	3476	Rundll32.exe	90
PID 3476 wrote to memory of 1516	3476	Rundll32.exe	90
PID 3476 wrote to memory of 1516	3476	Rundll32.exe	90
PID 3248 wrote to memory of 2336	3248	net.exe	95
PID 3248 wrote to memory of 2336	3248	net.exe	95
PID 3248 wrote to memory of 2336	3248	net.exe	95
PID 3476 wrote to memory of 2360	3476	Rundll32.exe	77
PID 3476 wrote to memory of 2360	3476	Rundll32.exe	77
PID 3476 wrote to memory of 3248	3476	Rundll32.exe	79
PID 3476 wrote to memory of 3248	3476	Rundll32.exe	79
PID 3476 wrote to memory of 660	3476	Rundll32.exe	80
PID 3476 wrote to memory of 660	3476	Rundll32.exe	80
PID 3476 wrote to memory of 4640	3476	Rundll32.exe	87
PID 3476 wrote to memory of 4640	3476	Rundll32.exe	87
PID 3476 wrote to memory of 3160	3476	Rundll32.exe	88
PID 3476 wrote to memory of 3160	3476	Rundll32.exe	88
PID 3476 wrote to memory of 920	3476	Rundll32.exe	93
PID 3476 wrote to memory of 920	3476	Rundll32.exe	93
PID 3476 wrote to memory of 1516	3476	Rundll32.exe	90
PID 3476 wrote to memory of 1516	3476	Rundll32.exe	90
PID 660 wrote to memory of 1940	660	net.exe	96
PID 660 wrote to memory of 1940	660	net.exe	96
PID 660 wrote to memory of 1940	660	net.exe	96
PID 3476 wrote to memory of 616	3476	Rundll32.exe	97
PID 3476 wrote to memory of 616	3476	Rundll32.exe	97
PID 3476 wrote to memory of 616	3476	Rundll32.exe	97

C:\Users\Admin\AppData\Local\Temp\dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe
"C:\Users\Admin\AppData\Local\Temp\dadb655f5705f8076904b86d2bc4b792721fce177fb949ed10b1acdd092b6513.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\pxqbjfaa.dll Exbcute
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:3552
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:5016
- - C:\Windows\SysWOW64\sc.exe
    sc stop ZhuDongFangYu
    3⤵
    - Launches sc.exe
    PID:4640
- - C:\Windows\SysWOW64\sc.exe
    sc delete ZhuDongFangYu
    3⤵
    - Launches sc.exe
    PID:3160
- - C:\Windows\SysWOW64\sc.exe
    sc delete 360rp
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\SysWOW64\sc.exe
    sc stop 360rp
    3⤵
    - Launches sc.exe
    PID:920
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop PolicyAgent
    3⤵
    - Launches sc.exe
    PID:616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 844
  2⤵
  - Program crash
  PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2360 -ip 2360
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\151E.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Windows\SysWOW64\pxqbjfaa.dll

Filesize
76KB

MD5
009b02b4eed440226b4fafb35d051ee7

SHA1
190de230e997bbec775f84fcc8092562c2491e5c

SHA256
39b884d4482b76088095f64d97fd6eef745205889bd985c6d6b30e28211c4efd

SHA512
69f218c071db71521a4e7f0b87b52e4436318392f75e6600787b975d6162c85650d15b5f009711d5d5f16fabfead38a97e870c32ae834293ddbfa4ecfc50d331

Download Submit
C:\Windows\SysWOW64\pxqbjfaa.dll

Filesize
76KB

MD5
009b02b4eed440226b4fafb35d051ee7

SHA1
190de230e997bbec775f84fcc8092562c2491e5c

SHA256
39b884d4482b76088095f64d97fd6eef745205889bd985c6d6b30e28211c4efd

SHA512
69f218c071db71521a4e7f0b87b52e4436318392f75e6600787b975d6162c85650d15b5f009711d5d5f16fabfead38a97e870c32ae834293ddbfa4ecfc50d331

Download Submit