9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0

Analysis

max time kernel
99s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 23:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe
Size

839KB
MD5

4c68e3236c9035af979437d1647fb190
SHA1

6278578a2235775a5e5ab39e4ea649b32a047d3a
SHA256

9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0
SHA512

65e6cb98740def433c89c361adee8a9e8b508b6a89f4b0d20e5769d09bc7cba3c1710ff96e8bc3fdd27c646c91b164c1ba220939a7f5e6c732fa33cdbc53c8cc
SSDEEP

24576:aUpkSNZ+5UnQtTN8FGIaScYQqSAOEBAtSdcENAOmgJ:aUiPkspdYIqSAOECLE2OmgJ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 21 IoCs

flow	pid	Process
4	1664	rundll32.exe
6	1664	rundll32.exe
8	1664	rundll32.exe
10	1664	rundll32.exe
12	1664	rundll32.exe
14	1664	rundll32.exe
16	1664	rundll32.exe
17	1664	rundll32.exe
20	1664	rundll32.exe
22	1664	rundll32.exe
24	1664	rundll32.exe
26	1664	rundll32.exe
28	1664	rundll32.exe
29	1664	rundll32.exe
31	1664	rundll32.exe
32	1664	rundll32.exe
33	1664	rundll32.exe
34	1664	rundll32.exe
35	1664	rundll32.exe
36	1664	rundll32.exe
37	1664	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
1368	file.exe
964	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe

Deletes itself 1 IoCs

pid	Process
948	cmd.exe

Loads dropped DLL 7 IoCs

pid	Process
1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe
1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe
948	cmd.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 9 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 948	1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe	28
PID 1224 wrote to memory of 948	1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe	28
PID 1224 wrote to memory of 948	1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe	28
PID 1224 wrote to memory of 948	1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe	28
PID 1224 wrote to memory of 1368	1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe	30
PID 1224 wrote to memory of 1368	1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe	30
PID 1224 wrote to memory of 1368	1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe	30
PID 1224 wrote to memory of 1368	1224	9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe	30
PID 1368 wrote to memory of 1664	1368	file.exe	31
PID 1368 wrote to memory of 1664	1368	file.exe	31
PID 1368 wrote to memory of 1664	1368	file.exe	31
PID 1368 wrote to memory of 1664	1368	file.exe	31
PID 1368 wrote to memory of 1664	1368	file.exe	31
PID 1368 wrote to memory of 1664	1368	file.exe	31
PID 1368 wrote to memory of 1664	1368	file.exe	31
PID 1368 wrote to memory of 1616	1368	file.exe	32
PID 1368 wrote to memory of 1616	1368	file.exe	32
PID 1368 wrote to memory of 1616	1368	file.exe	32
PID 1368 wrote to memory of 1616	1368	file.exe	32
PID 948 wrote to memory of 964	948	cmd.exe	34
PID 948 wrote to memory of 964	948	cmd.exe	34
PID 948 wrote to memory of 964	948	cmd.exe	34
PID 948 wrote to memory of 964	948	cmd.exe	34
PID 948 wrote to memory of 964	948	cmd.exe	34
PID 948 wrote to memory of 964	948	cmd.exe	34
PID 948 wrote to memory of 964	948	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe
"C:\Users\Admin\AppData\Local\Temp\9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_ms0825.bat" "C:\Users\Admin\AppData\Local\Temp\9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe""
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe
    "C:\Users\Admin\AppData\Local\Temp\9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe"
    3⤵
    - Executes dropped EXE
    PID:964
- C:\Users\Admin\AppData\Local\Temp\file.exe
  C:\Users\Admin\AppData\Local\Temp\file.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\4592.dll",ADB_Release
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Modifies system certificate store
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\6F8F.bat" "
    3⤵
    PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4592.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F8F.bat

Filesize
139B

MD5
863f0baf37283b3ec8accb192a11269f

SHA1
458f9e5c8dc8271d5f0a6790d42872d8bbc1279b

SHA256
61c834413f719a91f215733d32f21c1ce9f4ab8acb6409d9aedbfaca8671fb24

SHA512
caeebdbfa3d3575f867d07055cd057d35c8076b03ea72d6a8cdcca44d599d110715114f589417a3773a643456a933be6938bced67eacdc243a933684ef6c94ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe

Filesize
617KB

MD5
15c49ab625fe6a067cedf58edcf733b6

SHA1
f0728e618dd7a3605d442aece0a784ca729cf2ee

SHA256
eaf01b8e1ea4d6d069767e8e5ff40ffb18ccbf45337b4b6f7edab9851de64eba

SHA512
b5187a0dcc0c0844029b21ce4fd4a97aaf1ea9ed8d270427072cc379a5dd97cec285e52b8d6970b25681c2b7f9765dcc9a67180706060d119b4884e4b00502e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe

Filesize
617KB

MD5
15c49ab625fe6a067cedf58edcf733b6

SHA1
f0728e618dd7a3605d442aece0a784ca729cf2ee

SHA256
eaf01b8e1ea4d6d069767e8e5ff40ffb18ccbf45337b4b6f7edab9851de64eba

SHA512
b5187a0dcc0c0844029b21ce4fd4a97aaf1ea9ed8d270427072cc379a5dd97cec285e52b8d6970b25681c2b7f9765dcc9a67180706060d119b4884e4b00502e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chronotron3_5.exe.org

Filesize
617KB

MD5
15c49ab625fe6a067cedf58edcf733b6

SHA1
f0728e618dd7a3605d442aece0a784ca729cf2ee

SHA256
eaf01b8e1ea4d6d069767e8e5ff40ffb18ccbf45337b4b6f7edab9851de64eba

SHA512
b5187a0dcc0c0844029b21ce4fd4a97aaf1ea9ed8d270427072cc379a5dd97cec285e52b8d6970b25681c2b7f9765dcc9a67180706060d119b4884e4b00502e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ms0825.bat

Filesize
234B

MD5
55db6cc0cefe76502ebb2c8de5015bc1

SHA1
53b058e06f21f0e34ca5fba00e9eeb0f895ab543

SHA256
f702b6e7c3729a037c1788d831d8f7d0677229a498ad3a94bde929f9b6f4c8da

SHA512
659ab9d912420ace6973b678dca1405cf649ee24bb397c2d50ef47a082b014917e6ec2cc4cb244790f67402975bf59bbef000e29c5ea286d3d6ed6678c8cd662

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\4592.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\4592.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\4592.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\4592.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\9c78e2b53d79f4ea0d694adc1ea31c352dc3c79ff0ceac865f62036ca9e6b8d0.exe

Filesize
617KB

MD5
15c49ab625fe6a067cedf58edcf733b6

SHA1
f0728e618dd7a3605d442aece0a784ca729cf2ee

SHA256
eaf01b8e1ea4d6d069767e8e5ff40ffb18ccbf45337b4b6f7edab9851de64eba

SHA512
b5187a0dcc0c0844029b21ce4fd4a97aaf1ea9ed8d270427072cc379a5dd97cec285e52b8d6970b25681c2b7f9765dcc9a67180706060d119b4884e4b00502e7

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
memory/1224-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download