Analysis
-
max time kernel
149s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 16:46
Static task
static1
Behavioral task
behavioral1
Sample
f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe
Resource
win10v2004-20220812-en
General
-
Target
f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe
-
Size
369KB
-
MD5
d86ef322a661d37130f5a4d0effd03f3
-
SHA1
f75cfb7790bb6d554fdf436ac941fb786a78082d
-
SHA256
f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d
-
SHA512
f86724453a3680a44523914609d114cf8fb7b1475ac3e00e465034f3e12a230e7c81f9d90854475bbeeedb0dd2fc0af9f00732edb9f0789c0b3a827b03b20dab
-
SSDEEP
6144:J9PpMQZm7dznwijvPEaabsuI1FKiswVO2yqrBncky:JPMQZm7dznwijvPEaac1FKJx2JSky
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32.exepid process 4720 rundll32.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe -
Drops startup file 2 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ca9c409cae049493b77941d19805dd5.exe rundll32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ca9c409cae049493b77941d19805dd5.exe rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0ca9c409cae049493b77941d19805dd5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32.exe\" .." rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0ca9c409cae049493b77941d19805dd5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\rundll32.exe\" .." rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 4400 dw20.exe Token: SeBackupPrivilege 4400 dw20.exe Token: SeBackupPrivilege 4400 dw20.exe Token: SeBackupPrivilege 4400 dw20.exe Token: SeBackupPrivilege 4400 dw20.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exerundll32.exedescription pid process target process PID 5100 wrote to memory of 4720 5100 f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe rundll32.exe PID 5100 wrote to memory of 4720 5100 f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe rundll32.exe PID 5100 wrote to memory of 4720 5100 f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe rundll32.exe PID 4720 wrote to memory of 5008 4720 rundll32.exe netsh.exe PID 4720 wrote to memory of 5008 4720 rundll32.exe netsh.exe PID 4720 wrote to memory of 5008 4720 rundll32.exe netsh.exe PID 4720 wrote to memory of 4400 4720 rundll32.exe dw20.exe PID 4720 wrote to memory of 4400 4720 rundll32.exe dw20.exe PID 4720 wrote to memory of 4400 4720 rundll32.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe"C:\Users\Admin\AppData\Local\Temp\f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\rundll32.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\rundll32.exe" "rundll32.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 10523⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rundll32.exeFilesize
369KB
MD5d86ef322a661d37130f5a4d0effd03f3
SHA1f75cfb7790bb6d554fdf436ac941fb786a78082d
SHA256f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d
SHA512f86724453a3680a44523914609d114cf8fb7b1475ac3e00e465034f3e12a230e7c81f9d90854475bbeeedb0dd2fc0af9f00732edb9f0789c0b3a827b03b20dab
-
C:\Users\Admin\AppData\Local\Temp\rundll32.exeFilesize
369KB
MD5d86ef322a661d37130f5a4d0effd03f3
SHA1f75cfb7790bb6d554fdf436ac941fb786a78082d
SHA256f7f53052b36f373a7650e9e1ac8a29ed38ac614cc24d6b7b5fb27d3da646570d
SHA512f86724453a3680a44523914609d114cf8fb7b1475ac3e00e465034f3e12a230e7c81f9d90854475bbeeedb0dd2fc0af9f00732edb9f0789c0b3a827b03b20dab
-
memory/4400-140-0x0000000000000000-mapping.dmp
-
memory/4720-134-0x0000000000000000-mapping.dmp
-
memory/4720-138-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/4720-141-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/5008-139-0x0000000000000000-mapping.dmp
-
memory/5100-132-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/5100-133-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/5100-137-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB