2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:05

Target

2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7.dll
Size

42KB
MD5

2ad3dc471e5f2f7c43e6f8c8635b0c4c
SHA1

d6c39e0e38da0b9280d9a55dd26d9530a4a114fd
SHA256

2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7
SHA512

338ead00b7a042400144d38dfe9d334abce5fe8f4f7e979abab7b5707b70fab90b171892e2a4e06d0134910c634196af8535a2d60a62f7b9720f396f2513f729
SSDEEP

768:sYVFZfDNCqrWyMiquk2eYqcOIt739tHwDfpv9G6VTOp8iCbnhT37D:TVjJrrlPqBkq127N5OfJ9vVk8iE

Score

5^/10

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\clientui.bat rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\clientui.bat	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5004 wrote to memory of 968	5004	rundll32.exe	rundll32.exe
PID 5004 wrote to memory of 968	5004	rundll32.exe	rundll32.exe
PID 5004 wrote to memory of 968	5004	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 2172	968	rundll32.exe	cmd.exe
PID 968 wrote to memory of 2172	968	rundll32.exe	cmd.exe
PID 968 wrote to memory of 2172	968	rundll32.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2619329a708a9e8f6b77ef47ec6d1a5c8568423eb4121f57f9e3f5b881d34aa7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\clientui.bat
3⤵
PID:2172

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\SysWOW64\clientui.bat

Filesize
140B

MD5
4a105e7151bafbb5fa7ee8bc658f8769

SHA1
ef82d224772a03f6d234a65267e47c8ff45f7081

SHA256
d319c3fb3700d66a607a2dccfd074cbf0903dadee3cfc2521b178beb40d8aaff

SHA512
8c0a2bb48576d21c80bfd1145f8cc2c0698ee36157edc03a302d3d2aba4a59dd5be95254168428c9473d4ef85f16a578883b558ae9106e1f5fbea675232c7a27

Download Submit
memory/968-132-0x0000000000000000-mapping.dmp

Download
memory/968-134-0x0000000000A80000-0x0000000000A9F000-memory.dmp

Filesize
124KB

Download
memory/2172-133-0x0000000000000000-mapping.dmp

Download