f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
Size

148KB
MD5

00f2500cb259f8bc1f00106a970846a0
SHA1

bbc91326fa035822a1c806f989fbf89ea6655b9c
SHA256

f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4
SHA512

239ef5290636549bd379f4c363f38a800b3c547c2ae96322b678f5e56e5ab34de3f2072bfe4805d25e2bc2365ab9cf8e297405eea8f19b4a123badc1d64ff703
SSDEEP

1536:Cwsw9ukAf70iXoLSMwa0JKHRpsjmH/78vP+1H5A6jYHHwBj:/swXFiXoLSZJ8sjo8+1Hq6V

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1584	Rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2040	system.exe
628	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 12 IoCs

pid	Process
1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
960	Rundll32.exe
960	Rundll32.exe
960	Rundll32.exe
960	Rundll32.exe
1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
1584	Rundll32.exe
1584	Rundll32.exe
1584	Rundll32.exe
1584	Rundll32.exe
1584	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wvopnw.dll	system.exe
File created	C:\Windows\SysWOW64\iftqnw.dll	system.exe
File created	C:\Windows\SysWOW64\system.exe	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
584	sc.exe
1372	sc.exe
1548	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
960	Rundll32.exe
960	Rundll32.exe
960	Rundll32.exe
960	Rundll32.exe
960	Rundll32.exe
1584	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2040	1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	28
PID 1252 wrote to memory of 2040	1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	28
PID 1252 wrote to memory of 2040	1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	28
PID 1252 wrote to memory of 2040	1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	28
PID 2040 wrote to memory of 960	2040	system.exe	29
PID 2040 wrote to memory of 960	2040	system.exe	29
PID 2040 wrote to memory of 960	2040	system.exe	29
PID 2040 wrote to memory of 960	2040	system.exe	29
PID 2040 wrote to memory of 960	2040	system.exe	29
PID 2040 wrote to memory of 960	2040	system.exe	29
PID 2040 wrote to memory of 960	2040	system.exe	29
PID 960 wrote to memory of 684	960	Rundll32.exe	30
PID 960 wrote to memory of 684	960	Rundll32.exe	30
PID 960 wrote to memory of 684	960	Rundll32.exe	30
PID 960 wrote to memory of 684	960	Rundll32.exe	30
PID 960 wrote to memory of 1160	960	Rundll32.exe	31
PID 960 wrote to memory of 1160	960	Rundll32.exe	31
PID 960 wrote to memory of 1160	960	Rundll32.exe	31
PID 960 wrote to memory of 1160	960	Rundll32.exe	31
PID 960 wrote to memory of 584	960	Rundll32.exe	33
PID 960 wrote to memory of 584	960	Rundll32.exe	33
PID 960 wrote to memory of 584	960	Rundll32.exe	33
PID 960 wrote to memory of 584	960	Rundll32.exe	33
PID 960 wrote to memory of 1372	960	Rundll32.exe	36
PID 960 wrote to memory of 1372	960	Rundll32.exe	36
PID 960 wrote to memory of 1372	960	Rundll32.exe	36
PID 960 wrote to memory of 1372	960	Rundll32.exe	36
PID 684 wrote to memory of 580	684	net.exe	39
PID 684 wrote to memory of 580	684	net.exe	39
PID 684 wrote to memory of 580	684	net.exe	39
PID 684 wrote to memory of 580	684	net.exe	39
PID 1160 wrote to memory of 952	1160	net.exe	38
PID 1160 wrote to memory of 952	1160	net.exe	38
PID 1160 wrote to memory of 952	1160	net.exe	38
PID 1160 wrote to memory of 952	1160	net.exe	38
PID 960 wrote to memory of 1548	960	Rundll32.exe	40
PID 960 wrote to memory of 1548	960	Rundll32.exe	40
PID 960 wrote to memory of 1548	960	Rundll32.exe	40
PID 960 wrote to memory of 1548	960	Rundll32.exe	40
PID 2040 wrote to memory of 1584	2040	system.exe	42
PID 2040 wrote to memory of 1584	2040	system.exe	42
PID 2040 wrote to memory of 1584	2040	system.exe	42
PID 2040 wrote to memory of 1584	2040	system.exe	42
PID 2040 wrote to memory of 1584	2040	system.exe	42
PID 2040 wrote to memory of 1584	2040	system.exe	42
PID 2040 wrote to memory of 1584	2040	system.exe	42
PID 1252 wrote to memory of 628	1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	43
PID 1252 wrote to memory of 628	1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	43
PID 1252 wrote to memory of 628	1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	43
PID 1252 wrote to memory of 628	1252	f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe	43

C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
"C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\wvopnw.dll Exucute
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:580
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:952
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:584
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:1372
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:1548
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\iftqnw.dll Exucute
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:1584
- C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
  C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe
  2⤵
  - Executes dropped EXE
  PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe

Filesize
60KB

MD5
8e7ec478235b9f5108562ee5d191f096

SHA1
2cbd80b769557a57615269e303f84c6e9ba89630

SHA256
d7d3e7d5d1aed1f383f4d0e77dcdfd2a29067de796ca8d00d5645316742f498a

SHA512
dd647102290a0257cd7e2de2a7db0e420e92135f5987a8223366842ab43acc10977aa11f2e1348f225c81442e81fff79b1bfbd5359a44bce0ac4131d26be3e08

Download Submit
C:\Windows\SysWOW64\iftqnw.dll

Filesize
19KB

MD5
e77741a2c2032085406937008bbbcf43

SHA1
6086429c60798c7ae8bd521e6480c58553088304

SHA256
59261157968e62a963d4a3cd38f117662a7dc4ffbaa78429a1780dc8d13acd09

SHA512
c4b410b7619ae56f9dd550b6c6f3e6276f9ef568dfa884618591e0c2f24c002513b6b44272e518514e34dd78d683aa1ed35f892fa56a8cf3456f1ba1b6f2dbb1

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
bb4c48040cc27cead555f61de5361dfe

SHA1
1b224788f3fe0674e02e80d57a1cb9748a5dd4b1

SHA256
b9465bca9e6dc7e4061e33bb0ff4f48da036506ef9478aab42e04ceb80765bae

SHA512
164ba9b3c6860503dce24d6ab2bf4d62c24e6a6cd3f5c77eefff1f85ec5c7dc73f29b2bddcf729b751508ac4da77a637258990e5ac688a3e6f850f2e2eb3536a

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
bb4c48040cc27cead555f61de5361dfe

SHA1
1b224788f3fe0674e02e80d57a1cb9748a5dd4b1

SHA256
b9465bca9e6dc7e4061e33bb0ff4f48da036506ef9478aab42e04ceb80765bae

SHA512
164ba9b3c6860503dce24d6ab2bf4d62c24e6a6cd3f5c77eefff1f85ec5c7dc73f29b2bddcf729b751508ac4da77a637258990e5ac688a3e6f850f2e2eb3536a

Download Submit
C:\Windows\SysWOW64\wvopnw.dll

Filesize
53KB

MD5
5fbcb55c94f117b9d64df40c9b385a33

SHA1
c2e6c9b1109ac23977ed20549fa3a7f59ffda92c

SHA256
2854b5b38500094c11f53830822e73d5cf16851f3ed571dc2042115d915d68ff

SHA512
1532d5ee202fcd6e16a50603311c49d6de89331bb820417a2719c8434c1d7310daf4c9e04f4622d3fad54f67125f5b9e66b694a3b5edf0f651921430debaa595

Download Submit
\Users\Admin\AppData\Local\Temp\4886.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Users\Admin\AppData\Local\Temp\f489c4ec8f3b5a4e165d84d5b249eddb04054ad96628ef0867ae992309b435a4.exe

Filesize
60KB

MD5
8e7ec478235b9f5108562ee5d191f096

SHA1
2cbd80b769557a57615269e303f84c6e9ba89630

SHA256
d7d3e7d5d1aed1f383f4d0e77dcdfd2a29067de796ca8d00d5645316742f498a

SHA512
dd647102290a0257cd7e2de2a7db0e420e92135f5987a8223366842ab43acc10977aa11f2e1348f225c81442e81fff79b1bfbd5359a44bce0ac4131d26be3e08

Download Submit
\Windows\SysWOW64\iftqnw.dll

Filesize
19KB

MD5
e77741a2c2032085406937008bbbcf43

SHA1
6086429c60798c7ae8bd521e6480c58553088304

SHA256
59261157968e62a963d4a3cd38f117662a7dc4ffbaa78429a1780dc8d13acd09

SHA512
c4b410b7619ae56f9dd550b6c6f3e6276f9ef568dfa884618591e0c2f24c002513b6b44272e518514e34dd78d683aa1ed35f892fa56a8cf3456f1ba1b6f2dbb1

Download Submit
\Windows\SysWOW64\iftqnw.dll

Filesize
19KB

MD5
e77741a2c2032085406937008bbbcf43

SHA1
6086429c60798c7ae8bd521e6480c58553088304

SHA256
59261157968e62a963d4a3cd38f117662a7dc4ffbaa78429a1780dc8d13acd09

SHA512
c4b410b7619ae56f9dd550b6c6f3e6276f9ef568dfa884618591e0c2f24c002513b6b44272e518514e34dd78d683aa1ed35f892fa56a8cf3456f1ba1b6f2dbb1

Download Submit
\Windows\SysWOW64\iftqnw.dll

Filesize
19KB

MD5
e77741a2c2032085406937008bbbcf43

SHA1
6086429c60798c7ae8bd521e6480c58553088304

SHA256
59261157968e62a963d4a3cd38f117662a7dc4ffbaa78429a1780dc8d13acd09

SHA512
c4b410b7619ae56f9dd550b6c6f3e6276f9ef568dfa884618591e0c2f24c002513b6b44272e518514e34dd78d683aa1ed35f892fa56a8cf3456f1ba1b6f2dbb1

Download Submit
\Windows\SysWOW64\iftqnw.dll

Filesize
19KB

MD5
e77741a2c2032085406937008bbbcf43

SHA1
6086429c60798c7ae8bd521e6480c58553088304

SHA256
59261157968e62a963d4a3cd38f117662a7dc4ffbaa78429a1780dc8d13acd09

SHA512
c4b410b7619ae56f9dd550b6c6f3e6276f9ef568dfa884618591e0c2f24c002513b6b44272e518514e34dd78d683aa1ed35f892fa56a8cf3456f1ba1b6f2dbb1

Download Submit
\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
bb4c48040cc27cead555f61de5361dfe

SHA1
1b224788f3fe0674e02e80d57a1cb9748a5dd4b1

SHA256
b9465bca9e6dc7e4061e33bb0ff4f48da036506ef9478aab42e04ceb80765bae

SHA512
164ba9b3c6860503dce24d6ab2bf4d62c24e6a6cd3f5c77eefff1f85ec5c7dc73f29b2bddcf729b751508ac4da77a637258990e5ac688a3e6f850f2e2eb3536a

Download Submit
\Windows\SysWOW64\system.exe

Filesize
77KB

MD5
bb4c48040cc27cead555f61de5361dfe

SHA1
1b224788f3fe0674e02e80d57a1cb9748a5dd4b1

SHA256
b9465bca9e6dc7e4061e33bb0ff4f48da036506ef9478aab42e04ceb80765bae

SHA512
164ba9b3c6860503dce24d6ab2bf4d62c24e6a6cd3f5c77eefff1f85ec5c7dc73f29b2bddcf729b751508ac4da77a637258990e5ac688a3e6f850f2e2eb3536a

Download Submit
\Windows\SysWOW64\wvopnw.dll

Filesize
53KB

MD5
5fbcb55c94f117b9d64df40c9b385a33

SHA1
c2e6c9b1109ac23977ed20549fa3a7f59ffda92c

SHA256
2854b5b38500094c11f53830822e73d5cf16851f3ed571dc2042115d915d68ff

SHA512
1532d5ee202fcd6e16a50603311c49d6de89331bb820417a2719c8434c1d7310daf4c9e04f4622d3fad54f67125f5b9e66b694a3b5edf0f651921430debaa595

Download Submit
\Windows\SysWOW64\wvopnw.dll

Filesize
53KB

MD5
5fbcb55c94f117b9d64df40c9b385a33

SHA1
c2e6c9b1109ac23977ed20549fa3a7f59ffda92c

SHA256
2854b5b38500094c11f53830822e73d5cf16851f3ed571dc2042115d915d68ff

SHA512
1532d5ee202fcd6e16a50603311c49d6de89331bb820417a2719c8434c1d7310daf4c9e04f4622d3fad54f67125f5b9e66b694a3b5edf0f651921430debaa595

Download Submit
\Windows\SysWOW64\wvopnw.dll

Filesize
53KB

MD5
5fbcb55c94f117b9d64df40c9b385a33

SHA1
c2e6c9b1109ac23977ed20549fa3a7f59ffda92c

SHA256
2854b5b38500094c11f53830822e73d5cf16851f3ed571dc2042115d915d68ff

SHA512
1532d5ee202fcd6e16a50603311c49d6de89331bb820417a2719c8434c1d7310daf4c9e04f4622d3fad54f67125f5b9e66b694a3b5edf0f651921430debaa595

Download Submit
\Windows\SysWOW64\wvopnw.dll

Filesize
53KB

MD5
5fbcb55c94f117b9d64df40c9b385a33

SHA1
c2e6c9b1109ac23977ed20549fa3a7f59ffda92c

SHA256
2854b5b38500094c11f53830822e73d5cf16851f3ed571dc2042115d915d68ff

SHA512
1532d5ee202fcd6e16a50603311c49d6de89331bb820417a2719c8434c1d7310daf4c9e04f4622d3fad54f67125f5b9e66b694a3b5edf0f651921430debaa595

Download Submit
memory/580-69-0x0000000000000000-mapping.dmp

Download
memory/584-67-0x0000000000000000-mapping.dmp

Download
memory/628-76-0x0000000000000000-mapping.dmp

Download
memory/684-65-0x0000000000000000-mapping.dmp

Download
memory/952-70-0x0000000000000000-mapping.dmp

Download
memory/960-59-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/960-58-0x0000000000000000-mapping.dmp

Download
memory/1160-66-0x0000000000000000-mapping.dmp

Download
memory/1252-84-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1372-68-0x0000000000000000-mapping.dmp

Download
memory/1548-71-0x0000000000000000-mapping.dmp

Download
memory/1584-72-0x0000000000000000-mapping.dmp

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download