2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7.dll
Size

42KB
MD5

2ad3dc471e5f2f7c43e6f8c8635b0c4c
SHA1

d6c39e0e38da0b9280d9a55dd26d9530a4a114fd
SHA256

2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7
SHA512

338ead00b7a042400144d38dfe9d334abce5fe8f4f7e979abab7b5707b70fab90b171892e2a4e06d0134910c634196af8535a2d60a62f7b9720f396f2513f729
SSDEEP

768:sYVFZfDNCqrWyMiquk2eYqcOIt739tHwDfpv9G6VTOp8iCbnhT37D:TVjJrrlPqBkq127N5OfJ9vVk8iE

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\clientui.bat rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\clientui.bat	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 896 wrote to memory of 1952	896	rundll32.exe	rundll32.exe
PID 896 wrote to memory of 1952	896	rundll32.exe	rundll32.exe
PID 896 wrote to memory of 1952	896	rundll32.exe	rundll32.exe
PID 896 wrote to memory of 1952	896	rundll32.exe	rundll32.exe
PID 896 wrote to memory of 1952	896	rundll32.exe	rundll32.exe
PID 896 wrote to memory of 1952	896	rundll32.exe	rundll32.exe
PID 896 wrote to memory of 1952	896	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1128	1952	rundll32.exe	cmd.exe
PID 1952 wrote to memory of 1128	1952	rundll32.exe	cmd.exe
PID 1952 wrote to memory of 1128	1952	rundll32.exe	cmd.exe
PID 1952 wrote to memory of 1128	1952	rundll32.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\clientui.bat
3⤵
PID:1128

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\clientui.bat
Filesize
140B

MD5
4a105e7151bafbb5fa7ee8bc658f8769

SHA1
ef82d224772a03f6d234a65267e47c8ff45f7081

SHA256
d319c3fb3700d66a607a2dccfd074cbf0903dadee3cfc2521b178beb40d8aaff

SHA512
8c0a2bb48576d21c80bfd1145f8cc2c0698ee36157edc03a302d3d2aba4a59dd5be95254168428c9473d4ef85f16a578883b558ae9106e1f5fbea675232c7a27

Download Submit
memory/1128-56-0x0000000000000000-mapping.dmp

Download
memory/1952-54-0x0000000000000000-mapping.dmp

Download
memory/1952-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download