ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe
Size

918KB
MD5

2253ee7219e9c6c8e4a3ffdf918dbdc4
SHA1

4629fdf6f075ff7648d0225d43b1d312413551ec
SHA256

ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739
SHA512

500b8244c83195833a115f7b5f070154e62ed589243f8fbeb8990c8ee6160520962adbb3f21277d57d0bd522b2cd0e7f2340efd6155fb36415afc627790a51e9
SSDEEP

24576:kTkM/ti22C/1MOB13rpEfYjtAZAybWyj/qpwKSZsVKp:kTXl1/zdOwjfyKyuSCc

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1268	Rundll32.exe
4	1268	Rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
980	two.exe
1752	game.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Abcdef Hijklmno Qrs\Parameters\ServiceDll = "C:\\Windows\\148714629.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Abcdef Hijklmno Qrs\Parameters\ServiceDll = "C:\\Windows\\148693020.dll"	two.exe

Loads dropped DLL 11 IoCs

pid	Process
1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe
1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe
980	two.exe
980	two.exe
1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe
1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
1752	game.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LruNpstf.dsy	two.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\148693020.dll	two.exe
File opened for modification	C:\Windows\148693020.dll	two.exe
File created	C:\Windows\148714629.dll	rundll32.exe
File opened for modification	C:\Windows\148714629.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1752	game.exe
1268	Rundll32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 980	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	27
PID 1696 wrote to memory of 980	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	27
PID 1696 wrote to memory of 980	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	27
PID 1696 wrote to memory of 980	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	27
PID 1696 wrote to memory of 980	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	27
PID 1696 wrote to memory of 980	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	27
PID 1696 wrote to memory of 980	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	27
PID 980 wrote to memory of 820	980	two.exe	32
PID 980 wrote to memory of 820	980	two.exe	32
PID 980 wrote to memory of 820	980	two.exe	32
PID 980 wrote to memory of 820	980	two.exe	32
PID 980 wrote to memory of 820	980	two.exe	32
PID 980 wrote to memory of 820	980	two.exe	32
PID 980 wrote to memory of 820	980	two.exe	32
PID 1696 wrote to memory of 1752	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	33
PID 1696 wrote to memory of 1752	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	33
PID 1696 wrote to memory of 1752	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	33
PID 1696 wrote to memory of 1752	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	33
PID 1696 wrote to memory of 1752	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	33
PID 1696 wrote to memory of 1752	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	33
PID 1696 wrote to memory of 1752	1696	ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe	33
PID 1620 wrote to memory of 1268	1620	svchost.exe	36
PID 1620 wrote to memory of 1268	1620	svchost.exe	36
PID 1620 wrote to memory of 1268	1620	svchost.exe	36
PID 1620 wrote to memory of 1268	1620	svchost.exe	36
PID 1620 wrote to memory of 1268	1620	svchost.exe	36
PID 1620 wrote to memory of 1268	1620	svchost.exe	36
PID 1620 wrote to memory of 1268	1620	svchost.exe	36

C:\Users\Admin\AppData\Local\Temp\ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe
"C:\Users\Admin\AppData\Local\Temp\ad5da74726da260ba4c21420d30972de623753cccb9555fb948e692b331b9739.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\two.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\two.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\\84963696.dll,Install
    3⤵
    - Sets DLL path for service in the registry
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\game.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\game.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Abcdef Hijklmno Qrs"
1⤵
PID:1160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Abcdef Hijklmno Qrs"
1⤵
PID:1732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Abcdef Hijklmno Qrs"
1⤵
PID:320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Abcdef Hijklmno Qrs"
1⤵
PID:456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Abcdef Hijklmno Qrs"
1⤵
PID:364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Abcdef Hijklmno Qrs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe c:\windows\148714~1.DLL,Launch Abcdef Hijklmno Qrs
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetWindowsHookEx
  PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84963696.dll

Filesize
7.2MB

MD5
018b5716441fbdd8a21450b9567cbdce

SHA1
51d3d5ad1e6e7b662d4f6f9bc36cb07bcf1f240a

SHA256
db6f6dbc3de738eeac31751e23ba7ee4cd2c8a7a2f9d0d3c9ee0677458426287

SHA512
0b2a963e45c2230087ff091fe52a96afffe16cf7a52a076313eba4f9992623071abcfc52100400926f74ca2e369709d14b2e18478258b7daded942e70c15aea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\game.exe

Filesize
816KB

MD5
7dab267a58ea628971d7114e5453df99

SHA1
1491fc5c57bcbd8afb9c6490fbd580a81090ccb8

SHA256
4c83ce5f7ba26fd344fff2c7cabd18e3ede66cd3086928a2eb88cc89c7989c1e

SHA512
d95ba4f130bee3d0e4384805eb6d7df9178222be76d52c395b7126dc785506a17e3645dd3e7c628cc1bf17dd13c6ef259cce8b1a8914c9b84e382ac078e91cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\game.exe

Filesize
816KB

MD5
7dab267a58ea628971d7114e5453df99

SHA1
1491fc5c57bcbd8afb9c6490fbd580a81090ccb8

SHA256
4c83ce5f7ba26fd344fff2c7cabd18e3ede66cd3086928a2eb88cc89c7989c1e

SHA512
d95ba4f130bee3d0e4384805eb6d7df9178222be76d52c395b7126dc785506a17e3645dd3e7c628cc1bf17dd13c6ef259cce8b1a8914c9b84e382ac078e91cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\two.exe

Filesize
166KB

MD5
8ed284fca28b9edc56dc4db9a47ab139

SHA1
0cb9f31aad8778b1960fc7f0e42c901ad2c77502

SHA256
3ce6ada543c23e7fc28f3e63c9602c4241864fcbfab154a686063dc57ad3ea86

SHA512
d93b46e9be25a9d610d17f7945dbb55b4923e102c0adfd0d1eaf9538657361fa088bed5673af7c59444818ffcf91db3c161b1090d3dfa1adb4fee9c2878fa8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\two.exe

Filesize
166KB

MD5
8ed284fca28b9edc56dc4db9a47ab139

SHA1
0cb9f31aad8778b1960fc7f0e42c901ad2c77502

SHA256
3ce6ada543c23e7fc28f3e63c9602c4241864fcbfab154a686063dc57ad3ea86

SHA512
d93b46e9be25a9d610d17f7945dbb55b4923e102c0adfd0d1eaf9538657361fa088bed5673af7c59444818ffcf91db3c161b1090d3dfa1adb4fee9c2878fa8f0

Download Submit
\??\c:\windows\148693020.dll

Filesize
166KB

MD5
8ed284fca28b9edc56dc4db9a47ab139

SHA1
0cb9f31aad8778b1960fc7f0e42c901ad2c77502

SHA256
3ce6ada543c23e7fc28f3e63c9602c4241864fcbfab154a686063dc57ad3ea86

SHA512
d93b46e9be25a9d610d17f7945dbb55b4923e102c0adfd0d1eaf9538657361fa088bed5673af7c59444818ffcf91db3c161b1090d3dfa1adb4fee9c2878fa8f0

Download Submit
\??\c:\windows\148714629.dll

Filesize
7.2MB

MD5
018b5716441fbdd8a21450b9567cbdce

SHA1
51d3d5ad1e6e7b662d4f6f9bc36cb07bcf1f240a

SHA256
db6f6dbc3de738eeac31751e23ba7ee4cd2c8a7a2f9d0d3c9ee0677458426287

SHA512
0b2a963e45c2230087ff091fe52a96afffe16cf7a52a076313eba4f9992623071abcfc52100400926f74ca2e369709d14b2e18478258b7daded942e70c15aea8

Download Submit
\Users\Admin\AppData\Local\Temp\84963696.dll

Filesize
7.2MB

MD5
018b5716441fbdd8a21450b9567cbdce

SHA1
51d3d5ad1e6e7b662d4f6f9bc36cb07bcf1f240a

SHA256
db6f6dbc3de738eeac31751e23ba7ee4cd2c8a7a2f9d0d3c9ee0677458426287

SHA512
0b2a963e45c2230087ff091fe52a96afffe16cf7a52a076313eba4f9992623071abcfc52100400926f74ca2e369709d14b2e18478258b7daded942e70c15aea8

Download Submit
\Users\Admin\AppData\Local\Temp\84963696.dll

Filesize
7.2MB

MD5
018b5716441fbdd8a21450b9567cbdce

SHA1
51d3d5ad1e6e7b662d4f6f9bc36cb07bcf1f240a

SHA256
db6f6dbc3de738eeac31751e23ba7ee4cd2c8a7a2f9d0d3c9ee0677458426287

SHA512
0b2a963e45c2230087ff091fe52a96afffe16cf7a52a076313eba4f9992623071abcfc52100400926f74ca2e369709d14b2e18478258b7daded942e70c15aea8

Download Submit
\Users\Admin\AppData\Local\Temp\84963696.dll

Filesize
7.2MB

MD5
018b5716441fbdd8a21450b9567cbdce

SHA1
51d3d5ad1e6e7b662d4f6f9bc36cb07bcf1f240a

SHA256
db6f6dbc3de738eeac31751e23ba7ee4cd2c8a7a2f9d0d3c9ee0677458426287

SHA512
0b2a963e45c2230087ff091fe52a96afffe16cf7a52a076313eba4f9992623071abcfc52100400926f74ca2e369709d14b2e18478258b7daded942e70c15aea8

Download Submit
\Users\Admin\AppData\Local\Temp\84963696.dll

Filesize
7.2MB

MD5
018b5716441fbdd8a21450b9567cbdce

SHA1
51d3d5ad1e6e7b662d4f6f9bc36cb07bcf1f240a

SHA256
db6f6dbc3de738eeac31751e23ba7ee4cd2c8a7a2f9d0d3c9ee0677458426287

SHA512
0b2a963e45c2230087ff091fe52a96afffe16cf7a52a076313eba4f9992623071abcfc52100400926f74ca2e369709d14b2e18478258b7daded942e70c15aea8

Download Submit
\Users\Admin\AppData\Local\Temp\84963696.dll

Filesize
7.2MB

MD5
018b5716441fbdd8a21450b9567cbdce

SHA1
51d3d5ad1e6e7b662d4f6f9bc36cb07bcf1f240a

SHA256
db6f6dbc3de738eeac31751e23ba7ee4cd2c8a7a2f9d0d3c9ee0677458426287

SHA512
0b2a963e45c2230087ff091fe52a96afffe16cf7a52a076313eba4f9992623071abcfc52100400926f74ca2e369709d14b2e18478258b7daded942e70c15aea8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\game.exe

Filesize
816KB

MD5
7dab267a58ea628971d7114e5453df99

SHA1
1491fc5c57bcbd8afb9c6490fbd580a81090ccb8

SHA256
4c83ce5f7ba26fd344fff2c7cabd18e3ede66cd3086928a2eb88cc89c7989c1e

SHA512
d95ba4f130bee3d0e4384805eb6d7df9178222be76d52c395b7126dc785506a17e3645dd3e7c628cc1bf17dd13c6ef259cce8b1a8914c9b84e382ac078e91cf6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\game.exe

Filesize
816KB

MD5
7dab267a58ea628971d7114e5453df99

SHA1
1491fc5c57bcbd8afb9c6490fbd580a81090ccb8

SHA256
4c83ce5f7ba26fd344fff2c7cabd18e3ede66cd3086928a2eb88cc89c7989c1e

SHA512
d95ba4f130bee3d0e4384805eb6d7df9178222be76d52c395b7126dc785506a17e3645dd3e7c628cc1bf17dd13c6ef259cce8b1a8914c9b84e382ac078e91cf6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\game.exe

Filesize
816KB

MD5
7dab267a58ea628971d7114e5453df99

SHA1
1491fc5c57bcbd8afb9c6490fbd580a81090ccb8

SHA256
4c83ce5f7ba26fd344fff2c7cabd18e3ede66cd3086928a2eb88cc89c7989c1e

SHA512
d95ba4f130bee3d0e4384805eb6d7df9178222be76d52c395b7126dc785506a17e3645dd3e7c628cc1bf17dd13c6ef259cce8b1a8914c9b84e382ac078e91cf6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\two.exe

Filesize
166KB

MD5
8ed284fca28b9edc56dc4db9a47ab139

SHA1
0cb9f31aad8778b1960fc7f0e42c901ad2c77502

SHA256
3ce6ada543c23e7fc28f3e63c9602c4241864fcbfab154a686063dc57ad3ea86

SHA512
d93b46e9be25a9d610d17f7945dbb55b4923e102c0adfd0d1eaf9538657361fa088bed5673af7c59444818ffcf91db3c161b1090d3dfa1adb4fee9c2878fa8f0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\two.exe

Filesize
166KB

MD5
8ed284fca28b9edc56dc4db9a47ab139

SHA1
0cb9f31aad8778b1960fc7f0e42c901ad2c77502

SHA256
3ce6ada543c23e7fc28f3e63c9602c4241864fcbfab154a686063dc57ad3ea86

SHA512
d93b46e9be25a9d610d17f7945dbb55b4923e102c0adfd0d1eaf9538657361fa088bed5673af7c59444818ffcf91db3c161b1090d3dfa1adb4fee9c2878fa8f0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\two.exe

Filesize
166KB

MD5
8ed284fca28b9edc56dc4db9a47ab139

SHA1
0cb9f31aad8778b1960fc7f0e42c901ad2c77502

SHA256
3ce6ada543c23e7fc28f3e63c9602c4241864fcbfab154a686063dc57ad3ea86

SHA512
d93b46e9be25a9d610d17f7945dbb55b4923e102c0adfd0d1eaf9538657361fa088bed5673af7c59444818ffcf91db3c161b1090d3dfa1adb4fee9c2878fa8f0

Download Submit
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads