432c7deaa94233bb593355f3ecefc5acbc8e6359c1306bdac6c3c35c9655d07e

General

Target

432c7deaa94233bb593355f3ecefc5acbc8e6359c1306bdac6c3c35c9655d07e.dll
Size

131KB
MD5

439f446dbf3e1ac53b023dbc57f61150
SHA1

deb4c1b983ce4323c3ca5467d4b6756237c9bd66
SHA256

432c7deaa94233bb593355f3ecefc5acbc8e6359c1306bdac6c3c35c9655d07e
SHA512

c479f5a4083b67bf7cac8d20eae7305db4064703d2194ee89a06acb75a73018fde8d65d35293e0f4accfd1f592227d6249762ec51008942d0a892c51ea5ae99d
SSDEEP

3072:85iNSyHzZB2M1mzCLG9FpYHE/fhaQmMXJUZn:FTZsemmLEpYk/YM5U

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
12	4568	rundll32.exe
13	3788	rundll32.exe
37	4568	rundll32.exe
44	3788	rundll32.exe
52	3788	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\ServiceDll = "C:\\PROGRA~3\\2992199F9A\\e70d5569c53c3c6cadb6031c9536e8cbca5cfece3f553395bb33249aaed7c234.faa"	rundll32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4568-133-0x00000000024C0000-0x00000000024F1000-memory.dmp	upx
behavioral2/memory/4568-135-0x00000000024C0000-0x00000000024F1000-memory.dmp	upx
behavioral2/memory/3788-139-0x0000000002C30000-0x0000000002C61000-memory.dmp	upx
behavioral2/memory/3788-141-0x0000000002C30000-0x0000000002C61000-memory.dmp	upx
behavioral2/memory/4568-142-0x00000000024C0000-0x00000000024F1000-memory.dmp	upx
behavioral2/memory/3788-143-0x0000000002C30000-0x0000000002C61000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
3788	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\PROGRA~3\2992199F9A\lr42vjz.cpp	rundll32.exe
File created	C:\PROGRA~3\2992199F9A\2193912002.dat	rundll32.exe
File created	C:\PROGRA~3\2992199F9A\e70d5569c53c3c6cadb6031c9536e8cbca5cfece3f553395bb33249aaed7c234Admin.fdd	rundll32.exe
File created	C:\PROGRA~3\2992199F9A\zjv24rl.bbr	rundll32.exe
File opened for modification	C:\PROGRA~3\2992199F9A\zjv24rl.bbr	rundll32.exe
File created	C:\PROGRA~3\2992199F9A\zjv24rlAdmin.fdd	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4568	rundll32.exe
4568	rundll32.exe
3788	rundll32.exe
3788	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4568	2004	rundll32.exe	80
PID 2004 wrote to memory of 4568	2004	rundll32.exe	80
PID 2004 wrote to memory of 4568	2004	rundll32.exe	80
PID 4568 wrote to memory of 3788	4568	rundll32.exe	81
PID 4568 wrote to memory of 3788	4568	rundll32.exe	81
PID 4568 wrote to memory of 3788	4568	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\432c7deaa94233bb593355f3ecefc5acbc8e6359c1306bdac6c3c35c9655d07e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\432c7deaa94233bb593355f3ecefc5acbc8e6359c1306bdac6c3c35c9655d07e.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\299219~1\lr42vjz.cpp,work
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\299219~1\lr42vjz.cpp

Filesize
131KB

MD5
439f446dbf3e1ac53b023dbc57f61150

SHA1
deb4c1b983ce4323c3ca5467d4b6756237c9bd66

SHA256
432c7deaa94233bb593355f3ecefc5acbc8e6359c1306bdac6c3c35c9655d07e

SHA512
c479f5a4083b67bf7cac8d20eae7305db4064703d2194ee89a06acb75a73018fde8d65d35293e0f4accfd1f592227d6249762ec51008942d0a892c51ea5ae99d

Download Submit
C:\ProgramData\2992199F9A\lr42vjz.cpp

Filesize
131KB

MD5
439f446dbf3e1ac53b023dbc57f61150

SHA1
deb4c1b983ce4323c3ca5467d4b6756237c9bd66

SHA256
432c7deaa94233bb593355f3ecefc5acbc8e6359c1306bdac6c3c35c9655d07e

SHA512
c479f5a4083b67bf7cac8d20eae7305db4064703d2194ee89a06acb75a73018fde8d65d35293e0f4accfd1f592227d6249762ec51008942d0a892c51ea5ae99d

Download Submit
memory/3788-139-0x0000000002C30000-0x0000000002C61000-memory.dmp

Filesize
196KB

Download
memory/3788-140-0x00000000013E0000-0x0000000001411000-memory.dmp

Filesize
196KB

Download
memory/3788-141-0x0000000002C30000-0x0000000002C61000-memory.dmp

Filesize
196KB

Download
memory/3788-143-0x0000000002C30000-0x0000000002C61000-memory.dmp

Filesize
196KB

Download
memory/4568-133-0x00000000024C0000-0x00000000024F1000-memory.dmp

Filesize
196KB

Download
memory/4568-135-0x00000000024C0000-0x00000000024F1000-memory.dmp

Filesize
196KB

Download
memory/4568-134-0x0000000002410000-0x0000000002441000-memory.dmp

Filesize
196KB

Download
memory/4568-142-0x00000000024C0000-0x00000000024F1000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing