855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305

Analysis

max time kernel
161s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe
Size

204KB
MD5

218e58f3be90200b41a19bd19d3f6231
SHA1

83e1c240816508964f9e65ac4b79460c086b5627
SHA256

855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305
SHA512

13111b7ecfd5b570e507890d8fce497ff7db0215aea84ca1b852891530e7d2a9f621b7b6fdc9ad5fc84e754492e590ee3f67033c182566a4808ab0e75bfb9304
SSDEEP

3072:xN8lIHgzLrrW9gAvOEsQnSF484xsaqbdCUS6iU79F+6aLK2IJqi6uS+gkDstXKJ5:xN6IHgzLrrr6xh8tdCtd6JVx

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	3460	Rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2768	system.exe
1868	855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4556	Rundll32.exe
3460	Rundll32.exe
3460	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe
File created	C:\Windows\SysWOW64\voslifaa.dll	system.exe
File created	C:\Windows\SysWOW64\eaemifaa.dll	system.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4656	sc.exe
2628	sc.exe
3180	sc.exe
3704	sc.exe
2248	sc.exe
3172	sc.exe
4816	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2768	system.exe
2768	system.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
4556	Rundll32.exe
3460	Rundll32.exe
3460	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4264	855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2768	4264	855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe	81
PID 4264 wrote to memory of 2768	4264	855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe	81
PID 4264 wrote to memory of 2768	4264	855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe	81
PID 2768 wrote to memory of 4556	2768	system.exe	83
PID 2768 wrote to memory of 4556	2768	system.exe	83
PID 2768 wrote to memory of 4556	2768	system.exe	83
PID 4556 wrote to memory of 2544	4556	Rundll32.exe	84
PID 4556 wrote to memory of 2544	4556	Rundll32.exe	84
PID 4556 wrote to memory of 2544	4556	Rundll32.exe	84
PID 4556 wrote to memory of 1988	4556	Rundll32.exe	97
PID 4556 wrote to memory of 1988	4556	Rundll32.exe	97
PID 4556 wrote to memory of 1988	4556	Rundll32.exe	97
PID 4556 wrote to memory of 4656	4556	Rundll32.exe	86
PID 4556 wrote to memory of 4656	4556	Rundll32.exe	86
PID 4556 wrote to memory of 4656	4556	Rundll32.exe	86
PID 4556 wrote to memory of 2628	4556	Rundll32.exe	88
PID 4556 wrote to memory of 2628	4556	Rundll32.exe	88
PID 4556 wrote to memory of 2628	4556	Rundll32.exe	88
PID 4556 wrote to memory of 3180	4556	Rundll32.exe	90
PID 4556 wrote to memory of 3180	4556	Rundll32.exe	90
PID 4556 wrote to memory of 3180	4556	Rundll32.exe	90
PID 4556 wrote to memory of 3704	4556	Rundll32.exe	91
PID 4556 wrote to memory of 3704	4556	Rundll32.exe	91
PID 4556 wrote to memory of 3704	4556	Rundll32.exe	91
PID 4556 wrote to memory of 2248	4556	Rundll32.exe	94
PID 4556 wrote to memory of 2248	4556	Rundll32.exe	94
PID 4556 wrote to memory of 2248	4556	Rundll32.exe	94
PID 2544 wrote to memory of 1960	2544	net.exe	96
PID 2544 wrote to memory of 1960	2544	net.exe	96
PID 2544 wrote to memory of 1960	2544	net.exe	96
PID 4556 wrote to memory of 3172	4556	Rundll32.exe	98
PID 4556 wrote to memory of 3172	4556	Rundll32.exe	98
PID 4556 wrote to memory of 3172	4556	Rundll32.exe	98
PID 1988 wrote to memory of 1748	1988	net.exe	99
PID 1988 wrote to memory of 1748	1988	net.exe	99
PID 1988 wrote to memory of 1748	1988	net.exe	99
PID 4556 wrote to memory of 4264	4556	Rundll32.exe	80
PID 4556 wrote to memory of 4264	4556	Rundll32.exe	80
PID 4556 wrote to memory of 2768	4556	Rundll32.exe	81
PID 4556 wrote to memory of 2768	4556	Rundll32.exe	81
PID 4556 wrote to memory of 2544	4556	Rundll32.exe	84
PID 4556 wrote to memory of 2544	4556	Rundll32.exe	84
PID 4556 wrote to memory of 1988	4556	Rundll32.exe	97
PID 4556 wrote to memory of 1988	4556	Rundll32.exe	97
PID 4556 wrote to memory of 4656	4556	Rundll32.exe	86
PID 4556 wrote to memory of 4656	4556	Rundll32.exe	86
PID 4556 wrote to memory of 2628	4556	Rundll32.exe	88
PID 4556 wrote to memory of 2628	4556	Rundll32.exe	88
PID 4556 wrote to memory of 3180	4556	Rundll32.exe	90
PID 4556 wrote to memory of 3180	4556	Rundll32.exe	90
PID 4556 wrote to memory of 3704	4556	Rundll32.exe	91
PID 4556 wrote to memory of 3704	4556	Rundll32.exe	91
PID 4556 wrote to memory of 2248	4556	Rundll32.exe	94
PID 4556 wrote to memory of 2248	4556	Rundll32.exe	94
PID 4556 wrote to memory of 1960	4556	Rundll32.exe	96
PID 4556 wrote to memory of 1960	4556	Rundll32.exe	96
PID 4556 wrote to memory of 3172	4556	Rundll32.exe	98
PID 4556 wrote to memory of 3172	4556	Rundll32.exe	98
PID 4556 wrote to memory of 1748	4556	Rundll32.exe	99
PID 4556 wrote to memory of 1748	4556	Rundll32.exe	99
PID 4556 wrote to memory of 4816	4556	Rundll32.exe	102
PID 4556 wrote to memory of 4816	4556	Rundll32.exe	102
PID 4556 wrote to memory of 4816	4556	Rundll32.exe	102
PID 2768 wrote to memory of 3460	2768	system.exe	104

C:\Users\Admin\AppData\Local\Temp\855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe
"C:\Users\Admin\AppData\Local\Temp\855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\voslifaa.dll Exxcute
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\net.exe
      net stop WinDefend
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:1960
  - - C:\Windows\SysWOW64\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:4656
  - - C:\Windows\SysWOW64\sc.exe
      sc config MpsSvc start= disabled
      4⤵
      Launches sc.exe
      PID:2628
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:3180
  - - C:\Windows\SysWOW64\sc.exe
      sc delete ZhuDongFangYu
      4⤵
      Launches sc.exe
      PID:3704
  - - C:\Windows\SysWOW64\sc.exe
      sc stop 360rp
      4⤵
      Launches sc.exe
      PID:2248
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:1748
  - - C:\Windows\SysWOW64\sc.exe
      sc delete 360rp
      4⤵
      Launches sc.exe
      PID:3172
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:4816
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\eaemifaa.dll Exucute
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:3460
- C:\Users\Admin\AppData\Local\Temp\855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe
  C:\Users\Admin\AppData\Local\Temp\855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe
  2⤵
  - Executes dropped EXE
  PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\855cb7365a53aec9e874891ac6f2ac185ee1bb20e0c9b5d52ecb1a800412f305.exe

Filesize
48KB

MD5
bc849ba56ce71049c5b7234346f94cc0

SHA1
58d56e2a2fd350fdc621fd563a1c13ad2d98cfbc

SHA256
e05c0064bf1a1e6bf0f919757ed8e1ec24e6bc73cfa0c159cc5db53b28c7710c

SHA512
e75ad134e3a967601cfdcfa9164ad2b816522f8c4fb9c187f5e8cf3dbeb03bd162280ef429b322d6ab822d5d581b612520cc3421aecc5e6bdb9a3310ddcf0952

Download Submit
C:\Users\Admin\AppData\Local\Temp\B942.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Windows\SysWOW64\eaemifaa.dll

Filesize
22KB

MD5
a457952d720764b67b169d8a4c5f88c7

SHA1
a75185a97c810b923c3caddac190ce6967e4d1a9

SHA256
df62a7994a62e015d4770cb5e48a0bc23e3d1bd74c5c9908175b3f0673f4cbb1

SHA512
9605466bb7b10297b3e46f0cb1b02d07b7203e277e3344ab3e9e2e8d7e86953f69cb593cea785c1e60ad6aabcb832f318d6dd6384f46b2fb8023df41d6c11d39

Download Submit
C:\Windows\SysWOW64\eaemifaa.dll

Filesize
22KB

MD5
a457952d720764b67b169d8a4c5f88c7

SHA1
a75185a97c810b923c3caddac190ce6967e4d1a9

SHA256
df62a7994a62e015d4770cb5e48a0bc23e3d1bd74c5c9908175b3f0673f4cbb1

SHA512
9605466bb7b10297b3e46f0cb1b02d07b7203e277e3344ab3e9e2e8d7e86953f69cb593cea785c1e60ad6aabcb832f318d6dd6384f46b2fb8023df41d6c11d39

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
145KB

MD5
4c3944adb49e5be053cc27f5b6c461a8

SHA1
e2fe57502eac168fe27a406ec5b86727c1be721b

SHA256
e2e32ba264dca0a0d4e1388871c39df529c432f733ec83da2b5699a77b88a270

SHA512
cfa31e6245cef41bc28877a82e74d8fb5c9bb3e1d938a4f12d561bd72ca12877aaf1062dc8438461b0bbeabe086b6ce028c8fa4eb090a47dd3df0ad61582d257

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
145KB

MD5
4c3944adb49e5be053cc27f5b6c461a8

SHA1
e2fe57502eac168fe27a406ec5b86727c1be721b

SHA256
e2e32ba264dca0a0d4e1388871c39df529c432f733ec83da2b5699a77b88a270

SHA512
cfa31e6245cef41bc28877a82e74d8fb5c9bb3e1d938a4f12d561bd72ca12877aaf1062dc8438461b0bbeabe086b6ce028c8fa4eb090a47dd3df0ad61582d257

Download Submit
C:\Windows\SysWOW64\voslifaa.dll

Filesize
78KB

MD5
eedc0d1a5c758e1d224f39e9ab08f484

SHA1
ec3229d30a4ad020fd1e2a71af7e648b413a34ca

SHA256
0972f8c346db99042185797f09094e23f947152b72e58e2a2895423dd8f23ac1

SHA512
24183ad857c5b3d920b2c8a511a0847dc4cc5deca5581913bfa47dd5d146f90573c5a3ea55479e038849d2b3da72e7e4d34a5f50ec2e8049b29e201ed0b43bc6

Download Submit
C:\Windows\SysWOW64\voslifaa.dll

Filesize
78KB

MD5
eedc0d1a5c758e1d224f39e9ab08f484

SHA1
ec3229d30a4ad020fd1e2a71af7e648b413a34ca

SHA256
0972f8c346db99042185797f09094e23f947152b72e58e2a2895423dd8f23ac1

SHA512
24183ad857c5b3d920b2c8a511a0847dc4cc5deca5581913bfa47dd5d146f90573c5a3ea55479e038849d2b3da72e7e4d34a5f50ec2e8049b29e201ed0b43bc6

Download Submit
memory/1868-156-0x00000000728C0000-0x00000000728F9000-memory.dmp

Filesize
228KB

Download
memory/4264-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download