b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/11/2022, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

4.8MB
MD5

780c98ccb0bc0dae2242b4fa624d9871
SHA1

e1df2dc3ad4127c4f1f23e853495e92fd3479991
SHA256

b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d
SHA512

d8e3dd8643df87b487dd2ffa7a720c66619370023fdb6b7e53a92fc80852888d2d33512efe2f13e585247d64997540804f30fe7b7f6e38772c8839b1d88cac98
SSDEEP

98304:tu9cj4G6PAA35gAXuzWuG0tGA6wgPfAet7OwxB8tEQIiJCEt09oMIQ:tumj4GX0OMuyb0t0pzlH38tEQIeazh

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1604 set thread context of 848	1604	file.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	file.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
848	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
848	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 848	1604	file.exe	27
PID 1604 wrote to memory of 848	1604	file.exe	27
PID 1604 wrote to memory of 848	1604	file.exe	27
PID 1604 wrote to memory of 848	1604	file.exe	27
PID 1604 wrote to memory of 848	1604	file.exe	27
PID 1604 wrote to memory of 848	1604	file.exe	27
PID 1604 wrote to memory of 848	1604	file.exe	27
PID 1604 wrote to memory of 848	1604	file.exe	27

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1359bf3b-88ab-42dc-9aea-d113cc7ebfeb.tmp

Filesize
19KB

MD5
613b4d43b64a6d9630f389c4e12295b4

SHA1
06bef00ff378997f9b05d77c78563e01fb713e2d

SHA256
bbe5def034f4c1e6c16beb775ecbbbbe5e6f1aa8100639e87997c9f656a002c6

SHA512
3d48d3dbd49750d6154a3ecde4f60b7ba0cdfbf4781357971102222707ff9a6ee34f5cdbbb64111e3b43bf3946c1fdfb5024d1bcf710e13a850b257c61e5a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\691650e8-0ac2-4427-bb8b-74f96bcc3bfe.tmp

Filesize
25KB

MD5
9f670566b87be47f09e3871cd67ed6d9

SHA1
8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

SHA256
d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

SHA512
6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rpiidpytrto.tmp

Filesize
3.5MB

MD5
c597ca48af580cb2755914474a787ddf

SHA1
427cdbd19eadb94f1f89b51a7c3647a3ff7d3925

SHA256
8c67a70fe070595fda6ec977af7da0085d40df299f04cdd5669156752fee3f31

SHA512
c41ab851b712c484184934b2dab7015d329ec485b454b645411f69a97ef4a46351fe892f86522abf19c08cf1b7b6a5212954053b8218046cdfab24ef734e47ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupExe(20220812141637698).log

Filesize
203KB

MD5
7d2a4a24260f0ef4de56be4f33150f83

SHA1
9e085b9f66a463cadf55b279e3a89955a8430f78

SHA256
1f7e06410628cfb1e394ad384b5fd1ce493213c36d442a86a860b7c7bd4c7ebe

SHA512
ddaf2bb1ea2fe2bc04d78f8d8490529441b9518cfa8484ca04cac6210644ff56b4a3acfac4049436eee6c05c4a8536dcb84a4af2128b196946d23fb1ee77f6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20220812_140958_124.txt

Filesize
7KB

MD5
f468f5019551db70fc19347c8469b2da

SHA1
f99429262f22b806a1c95e042a38b6530de004d5

SHA256
d9216724e263287bae08c0aa5d0eb47f2c4e7edb5af241573859b8880ab9dcc0

SHA512
a3e15a64f27dbe4f4e94c07db13e560347fdffa69b716c96e27907b2e42ccc47b2dc3e7f433fb89ab44222ce5e9fd9fe3c8bcad78c3a95455e8f93dd7d042e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20220812_140959_669.txt

Filesize
2KB

MD5
8b9a8e9e86433347fa4771ce778e8b30

SHA1
781d4faa07e50daf68be703294e76297dbea5245

SHA256
2d5021c59984460762206f84606cf27b4408f17c7fc4da3e0454e07896904f01

SHA512
5f2411bc030c76b7a9549f1baf84e7fc600603c65358411dcb1bbd8fcc657a2743faec7b26074fd83c8646294e091c3f8b284a880e7ef266926214bdb7811a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20220812-142921-0.log

Filesize
44KB

MD5
63dcbe074f416ac9508f9574fb20b772

SHA1
90390db069d3a30f8a0db2903d0c539eb9b42168

SHA256
fe1237c5b92a3a6d9fc72e388089e6c1e332b8218dcea1b93a9134a55efad084

SHA512
592a758bd30401cc61f041a2459bfece2fabaaed6502193fab668fb0653fd18d8e5d109b26e6d7c43250f7e835ca8aa1b67ecb1da26919ba26e4f0159bd5ffb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20220812-143500-0.log

Filesize
36KB

MD5
8aee94bd34346ad9387a4667e730f23b

SHA1
52c0c34e5cf977a39824f31de935aab4a21c8608

SHA256
232d2940b64fa70f8d643020d8782b81a83074bfb0e3679f1bf6dc1953119138

SHA512
6c53c612328141d3d80253dd40b8a0b6d5a610611a8a825f15a0eaa46e58ba707ef122d1833ddf2beb8b1196e885e015130cd271554a02beeded82d84f9c9011

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
memory/848-79-0x00000000028A0000-0x0000000003409000-memory.dmp

Filesize
11.4MB

Download
memory/848-94-0x0000000006011000-0x000000000634B000-memory.dmp

Filesize
3.2MB

Download
memory/848-104-0x00000000028A0000-0x0000000003409000-memory.dmp

Filesize
11.4MB

Download
memory/848-103-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/848-102-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/848-99-0x00000000038C0000-0x00000000038E2000-memory.dmp

Filesize
136KB

Download
memory/848-98-0x0000000003C50000-0x0000000003C81000-memory.dmp

Filesize
196KB

Download
memory/848-97-0x0000000001450000-0x000000000147B000-memory.dmp

Filesize
172KB

Download
memory/848-84-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/848-75-0x00000000004F0000-0x0000000000F3A000-memory.dmp

Filesize
10.3MB

Download
memory/848-83-0x0000000003620000-0x0000000003760000-memory.dmp

Filesize
1.2MB

Download
memory/848-82-0x00000000004F0000-0x0000000000F3A000-memory.dmp

Filesize
10.3MB

Download
memory/848-81-0x00000000028A0000-0x0000000003409000-memory.dmp

Filesize
11.4MB

Download
memory/1604-55-0x0000000002560000-0x0000000002A0A000-memory.dmp

Filesize
4.7MB

Download
memory/1604-73-0x0000000004180000-0x00000000042C0000-memory.dmp

Filesize
1.2MB

Download
memory/1604-63-0x00000000034B0000-0x0000000004019000-memory.dmp

Filesize
11.4MB

Download
memory/1604-64-0x00000000034B0000-0x0000000004019000-memory.dmp

Filesize
11.4MB

Download
memory/1604-61-0x00000000034B0000-0x0000000004019000-memory.dmp

Filesize
11.4MB

Download
memory/1604-60-0x00000000034B0000-0x0000000004019000-memory.dmp

Filesize
11.4MB

Download
memory/1604-58-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1604-59-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1604-56-0x0000000002A10000-0x0000000003065000-memory.dmp

Filesize
6.3MB

Download
memory/1604-57-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1604-74-0x0000000004180000-0x00000000042C0000-memory.dmp

Filesize
1.2MB

Download
memory/1604-66-0x0000000004180000-0x00000000042C0000-memory.dmp

Filesize
1.2MB

Download
memory/1604-54-0x0000000002560000-0x0000000002A0A000-memory.dmp

Filesize
4.7MB

Download
memory/1604-71-0x0000000004180000-0x00000000042C0000-memory.dmp

Filesize
1.2MB

Download
memory/1604-72-0x0000000004180000-0x00000000042C0000-memory.dmp

Filesize
1.2MB

Download
memory/1604-69-0x0000000004180000-0x00000000042C0000-memory.dmp

Filesize
1.2MB

Download
memory/1604-68-0x0000000004180000-0x00000000042C0000-memory.dmp

Filesize
1.2MB

Download
memory/1604-65-0x0000000004180000-0x00000000042C0000-memory.dmp

Filesize
1.2MB

Download
memory/1604-105-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1604-106-0x00000000034B0000-0x0000000004019000-memory.dmp

Filesize
11.4MB

Download