ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc

Analysis

max time kernel
53s
max time network
159s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 04:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc.exe
Size

1.8MB
MD5

b5a85fc38e0e21840210fd159d7c8c06
SHA1

a3e24634eb2d92340f6db857fa5ae40524a83887
SHA256

ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc
SHA512

1415c35d0370a5fa0bd6db0ed1d91dbfdce32002955687e92ea78b74c0a270fb194a28446e582dd529a970178a7cc4e447daaefad1ac314114b83d65739b9417
SSDEEP

24576:rconAINPy/CHbYTIYcpewW/R7+CF73qYHjVMRAmz+JL1sSBkfprWqRD9iMF8m3Of:bRxk8xpcR7+cfzmKjbIiq53qm3O/SKJ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3536	rundll32.exe
3916	rundll32.exe
3916	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 5048	2700	ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc.exe	66
PID 2700 wrote to memory of 5048	2700	ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc.exe	66
PID 2700 wrote to memory of 5048	2700	ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc.exe	66
PID 5048 wrote to memory of 3536	5048	control.exe	68
PID 5048 wrote to memory of 3536	5048	control.exe	68
PID 5048 wrote to memory of 3536	5048	control.exe	68
PID 3536 wrote to memory of 4816	3536	rundll32.exe	69
PID 3536 wrote to memory of 4816	3536	rundll32.exe	69
PID 4816 wrote to memory of 3916	4816	RunDll32.exe	70
PID 4816 wrote to memory of 3916	4816	RunDll32.exe	70
PID 4816 wrote to memory of 3916	4816	RunDll32.exe	70

C:\Users\Admin\AppData\Local\Temp\ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc.exe
"C:\Users\Admin\AppData\Local\Temp\ad6ef463ee4b488b81ec6d0b4a02864a9a309c347f7373aac92ee038642521bc.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\R~VhO0.cpL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\R~VhO0.cpL",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\R~VhO0.cpL",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\R~VhO0.cpL",
        5⤵
        Loads dropped DLL
        
        PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\R~VhO0.cpL

Filesize
1.5MB

MD5
732b0e1538abd03a48996b235e0d569b

SHA1
f8e3de1aa6820fd989609268f643ac62340fa5a7

SHA256
9f6bdd36b75ae80a829e2220196e7f300756129ef9c46d251e220b26f9b38832

SHA512
98517e38dcb2855525bab4327df14a26ab3068d13f33bc69c38a3831e94a633f2dfeb21a017f863bb2b8836acb89944f51c4fba109c8a664bba331151d55759f

Download Submit
\Users\Admin\AppData\Local\Temp\r~vhO0.cpl

Filesize
1.5MB

MD5
732b0e1538abd03a48996b235e0d569b

SHA1
f8e3de1aa6820fd989609268f643ac62340fa5a7

SHA256
9f6bdd36b75ae80a829e2220196e7f300756129ef9c46d251e220b26f9b38832

SHA512
98517e38dcb2855525bab4327df14a26ab3068d13f33bc69c38a3831e94a633f2dfeb21a017f863bb2b8836acb89944f51c4fba109c8a664bba331151d55759f

Download Submit
\Users\Admin\AppData\Local\Temp\r~vhO0.cpl

Filesize
1.5MB

MD5
732b0e1538abd03a48996b235e0d569b

SHA1
f8e3de1aa6820fd989609268f643ac62340fa5a7

SHA256
9f6bdd36b75ae80a829e2220196e7f300756129ef9c46d251e220b26f9b38832

SHA512
98517e38dcb2855525bab4327df14a26ab3068d13f33bc69c38a3831e94a633f2dfeb21a017f863bb2b8836acb89944f51c4fba109c8a664bba331151d55759f

Download Submit
\Users\Admin\AppData\Local\Temp\r~vhO0.cpl

Filesize
1.5MB

MD5
732b0e1538abd03a48996b235e0d569b

SHA1
f8e3de1aa6820fd989609268f643ac62340fa5a7

SHA256
9f6bdd36b75ae80a829e2220196e7f300756129ef9c46d251e220b26f9b38832

SHA512
98517e38dcb2855525bab4327df14a26ab3068d13f33bc69c38a3831e94a633f2dfeb21a017f863bb2b8836acb89944f51c4fba109c8a664bba331151d55759f

Download Submit
memory/2700-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-179-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/3536-275-0x00000000051B0000-0x00000000052DA000-memory.dmp

Filesize
1.2MB

Download
memory/3536-324-0x00000000051B0000-0x00000000052DA000-memory.dmp

Filesize
1.2MB

Download
memory/3536-274-0x0000000004F50000-0x000000000507A000-memory.dmp

Filesize
1.2MB

Download
memory/3916-335-0x0000000004A20000-0x0000000004B4A000-memory.dmp

Filesize
1.2MB

Download
memory/3916-334-0x00000000047C0000-0x00000000048EA000-memory.dmp

Filesize
1.2MB

Download
memory/3916-343-0x0000000004A20000-0x0000000004B4A000-memory.dmp

Filesize
1.2MB

Download