Overview

overview

8

Static

static

8

d339f5f6b7...69.dll

windows7-x64

8

d339f5f6b7...69.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    113s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d339f5f6b725c52346dd855f747f7d3bbf1d94e1336a993b7e374afae1fe5969.dll

  • Size

    500KB

  • MD5

    0c260a6c3bc4c5e3d898df01285f02d0

  • SHA1

    8061ea2c1189b6116a195d89ae88ab8442c74b97

  • SHA256

    d339f5f6b725c52346dd855f747f7d3bbf1d94e1336a993b7e374afae1fe5969

  • SHA512

    4feb9474303af281b3f4786fadef9f5e6ca1bd66f84369aff5c73687e39c97c6c23c6ab63d602fa3b6301900e5df1153318f1f49bb307691dabcc640ff815ef5

  • SSDEEP

    6144:Ot5xiJjUNb8L4K91KFqPzb//EJcq5nDcaeo6WfmymREmCMeBZA52ijMQiEU5/YBy:u6gF7KGYaiaB65y5TMl2TPWyZBrzqU

Score
8/10
vmprotect

Malware Config

Signatures

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d339f5f6b725c52346dd855f747f7d3bbf1d94e1336a993b7e374afae1fe5969.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d339f5f6b725c52346dd855f747f7d3bbf1d94e1336a993b7e374afae1fe5969.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://contando2015.com/ANP/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FQ7F6HNK.txt
    Filesize

    608B

    MD5

    583e272b84bdc288ba94db56a06e6156

    SHA1

    4b8210a4bbff5e7f71eb1348d44ffcde320a3449

    SHA256

    2a6ff7a8d70284d7cc7b025f753249943760e8250f156174d69f6eae863b9a04

    SHA512

    5ad57419f3e2914cebc2ddb7dfcf1d043e4a7fc305562a0a652b36c3c43a17a7648894e5c7b1c3326a45217d3b5ff5817992b247b03a0bc069a222480540b549

    Download Submit
  • memory/1208-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-55-0x0000000076261000-0x0000000076263000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1208-56-0x0000000001E90000-0x0000000001F9C000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1208-57-0x0000000001E90000-0x0000000001F9C000-memory.dmp
    Filesize

    1.0MB

    Download