Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 14:49
Static task
static1
Behavioral task
behavioral1
Sample
1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe
Resource
win10v2004-20220812-en
General
-
Target
1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe
-
Size
448KB
-
MD5
6022edf06aaf6058035404208d96c2a6
-
SHA1
7d5654fb29c0a364d6dd52b6094e156e405dbc45
-
SHA256
1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e
-
SHA512
faff7b29c01f25ec13c5bf5fe1f0948317af10b583fe01327e0bb7a23303089a1e1bf06ca7ecd770af8949add8fbdf24df5db29417c52c5ad0ee619b67413414
-
SSDEEP
6144:gBC/iqMDDb4eFZ9zD9wSysVOXvrXI8d9qFiWEKH0FfRJO/:gBC/i3DDceZh9pyAOfcG9q4jKUFfRJw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundlldic.exepid process 932 rundlldic.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
rundlldic.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e66d117fdd84abbfae3dda651eadf274.exe rundlldic.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e66d117fdd84abbfae3dda651eadf274.exe rundlldic.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundlldic.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e66d117fdd84abbfae3dda651eadf274 = "\"C:\\Windows\\rundlldic.exe\" .." rundlldic.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\e66d117fdd84abbfae3dda651eadf274 = "\"C:\\Windows\\rundlldic.exe\" .." rundlldic.exe -
Drops file in Windows directory 2 IoCs
Processes:
1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exedescription ioc process File created C:\Windows\rundlldic.exe 1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe File opened for modification C:\Windows\rundlldic.exe 1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundlldic.exepid process 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe 932 rundlldic.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundlldic.exedescription pid process Token: SeDebugPrivilege 932 rundlldic.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exerundlldic.exedescription pid process target process PID 1964 wrote to memory of 932 1964 1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe rundlldic.exe PID 1964 wrote to memory of 932 1964 1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe rundlldic.exe PID 1964 wrote to memory of 932 1964 1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe rundlldic.exe PID 1964 wrote to memory of 932 1964 1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe rundlldic.exe PID 932 wrote to memory of 840 932 rundlldic.exe netsh.exe PID 932 wrote to memory of 840 932 rundlldic.exe netsh.exe PID 932 wrote to memory of 840 932 rundlldic.exe netsh.exe PID 932 wrote to memory of 840 932 rundlldic.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe"C:\Users\Admin\AppData\Local\Temp\1e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\rundlldic.exe"C:\Windows\rundlldic.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\rundlldic.exe" "rundlldic.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\rundlldic.exeFilesize
448KB
MD56022edf06aaf6058035404208d96c2a6
SHA17d5654fb29c0a364d6dd52b6094e156e405dbc45
SHA2561e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e
SHA512faff7b29c01f25ec13c5bf5fe1f0948317af10b583fe01327e0bb7a23303089a1e1bf06ca7ecd770af8949add8fbdf24df5db29417c52c5ad0ee619b67413414
-
C:\Windows\rundlldic.exeFilesize
448KB
MD56022edf06aaf6058035404208d96c2a6
SHA17d5654fb29c0a364d6dd52b6094e156e405dbc45
SHA2561e96aaf82c05be28d0d2245b402ef5610e2106563e9f08d59dd53c250b8d5e8e
SHA512faff7b29c01f25ec13c5bf5fe1f0948317af10b583fe01327e0bb7a23303089a1e1bf06ca7ecd770af8949add8fbdf24df5db29417c52c5ad0ee619b67413414
-
memory/840-61-0x0000000000000000-mapping.dmp
-
memory/932-56-0x0000000000000000-mapping.dmp
-
memory/932-62-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/932-64-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1964-55-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB
-
memory/1964-60-0x0000000074970000-0x0000000074F1B000-memory.dmpFilesize
5.7MB