Analysis
-
max time kernel
182s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 00:08
General
-
Target
7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll
-
Size
541KB
-
MD5
c12eff8d72d6a7d0bccd4c3947ba1271
-
SHA1
351fee49a5207d1f16ddc036294b74cc98f06690
-
SHA256
7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736
-
SHA512
314402d330f0c01b131fcc78287472ee496120c9ba526b87438908fd85000a771ebb11386392bf6ff2fba8c3a08179e6cf9c8a7b50b10dd4d7cb07dc1de81c37
-
SSDEEP
12288:gKXAyRw6k2wnnA9UhcOsyj/kidgR6ncbGUTLyEud6p2Qh5zb:6yRw6k20WU6yAp6cV3txh5zb
Malware Config
Signatures
-
VMProtect packed file 7 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7db12168db2668990a09c311b611c2f8f6b65451f48d92ac7a61ebb460a3d736.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.java.com/pt_BR/4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7fff3b2a46f8,0x7fff3b2a4708,0x7fff3b2a47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5208 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6108 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,2542485447650788864,17685476451908710683,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3136 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c call C:\Users\Admin\AppData\Local\Temp\YYYY.bat4⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -embedding7⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding8⤵
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\\Internet Explorer\iexplore.exe" -embedding8⤵
-
-
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\Microsoft\WindowsUpdate\rundll32.cpl",8⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54d3e00939da45025c373c79a3e4ac5e2
SHA1358f285f6f1523d96f5c4dfc079da75ba92e7f0c
SHA2566d695856b73d7c18d9fc6412ea8cafc1e28c94b987ab953ed73f4abc406a125d
SHA512a8fd55dfd9fbf86c4014ed779bec5d976ef64abe0de27ec7e6df9ace74a4eecd6716c754f3a054e8a69c67151fdafe98cf53165744f6bfbd1feca2077167b8e4
-
Filesize
1KB
MD5b7762ec3e81bf53197c928e4b9d30306
SHA1aed7e5625ca24b4b94dd48b0557d7d1182f2ea18
SHA2562d1175287d345c620e453f4396b6819eec0c92d0375446fb6fc64b1abe5db87f
SHA51271a9e1d2274af71ef354921b79728cf15f1a8aa7860216f9999a686ccdf96278f7c8e1bc7c9acc3ac4793c1acd336596c4689ad743dac87a1556a6e14d688640
-
Filesize
1KB
MD5417e4ce0f5afe058df975f4b3707c05b
SHA1fb0373c13708b5792a26823a06c66c225c0f9c4e
SHA2568d5bcbcc20ab939ae7cb3b4cd03d6ffe3217723c8e58953d9885a01df0b67440
SHA5120e0f0ec224062dae2629ba485072670efa3b1f71225cb0a9c0180c7c3ac14b0cdbdd0621178f648733e0abf3db89694edaa61a8056fc94aabacbfcbab535c61f
-
Filesize
442B
MD5a6e72cd7f7cd8929860a64f63b7673cf
SHA1949aea94b41ad203635422b6ee8d847ba97c1ec1
SHA2569c0271ee2250169c9b637853a43210a327e5d4a46a97410d98edfa1439cba275
SHA51296f1a192aa143addb85dd728a89cc9a3556d171a7615f82125d91986fbd8ac354c62a51847f08615ba8be48e83a7fd773e7680dcbb2d57c6e6d0ae2b7d628e97
-
Filesize
458B
MD52a0e4b8aa57dc5bfa5f47aae6461aa00
SHA11dcf9a53763303073b980423cfff478bd5010074
SHA256a82bfd6c67da4f8e736e0dd37627de34881dcbb6ff5d5fcaf10843234c62dea4
SHA512ae1e4e847c7cb522f56d8ca859f273d98bfe2e25c88483f136358e87233c42208b122d215e19ba842c9a88a6c0ed4452a328dac7a0a46e9cf7d91a2b84e6a700
-
Filesize
432B
MD5155ed03ba0f68f2623df5a31e8890642
SHA142b915ca83a2f9ce7e510fe0b1ce632290f4c933
SHA25640627a825e98d9a87cbc23db6769144c9faeb553401215e006ffdadc1b3b2a80
SHA512662473a902c57dc355949008e419be59baca5728f72353b1fa39e5492350135b6ade9e5cafd7d67709af21bf85f084d0530d6ed3f17dcb26228f64012e350563
-
Filesize
186B
MD5ed5d0dd1e636b46c029431fe1b22c177
SHA18730dbda5b02b208025efc9729078fd922916244
SHA25619aa3105126cc8c82f49a43b611d43ca5c86e2a23cbd924cf43f0b58f6786eba
SHA512ac5a61fed23e6c7455059ff959e32f9d648fd830fc5d1febdbc8b4907db7e1bb8bb73013ec1fd71dc3ca506598b9a591342e27f6d8e1884af414d3efda256526
-
Filesize
1KB
MD5efed2d96aa5344910603f3538edbea7e
SHA1c1988553afe101e4d6cbdb2901439ad01ddf4640
SHA2567c4ccaca19175775f6fbeac19e6d6bb0497c40e76a774e5dfa481e3ccc66aed5
SHA512b324b4e62b7f6f4334c06d40d9855bb602812be14fe41040572addbcf9a51a4a227bd63ef614242ecb15ebe89aa9304146710e4bc129b46e4a453b2b794e42ee
-
Filesize
8.2MB
MD5066c74a4c54e35a80beaf295cf8d460b
SHA146545679ad7e5acdc573d23fe3bcfea93bbbb2c3
SHA2565ef54ab34b9140e528e64babe53d7b0938440a8c9bba619e9802b5e50d724898
SHA5122bc7e62a21b91cc8ed7f6a3d91dad20bae9f1f45e0b9af0931fe538e4a232bc14225164b13fa67f4f8bfede907067d2f7c772baec8722826a0382ccbe8b40c3b
-
Filesize
1.1MB
MD50a9e1f77c45cca70272b33865de7936e
SHA1a5795ef4bc0b83571b7a5b5ddc5d7255451b8948
SHA2567eb2b0e0e856828b2b2253377d87b03657492e4cfab23450f9aaa078c743da5c
SHA5123e3eaf7708c1d8b511d86c8081baec275d3aa90ee0e34c4addf5fe1447642371910805fca9dd9245e89bb717d7f61a0b2b9c8c6d365e24281963d51ca63db371
-
Filesize
1.2MB
MD59386510028d854a5241c293a16cbaf90
SHA17671438b4a84e99efc0b80a036ebef834318d575
SHA256bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7
SHA512af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588
-
Filesize
1.2MB
MD59386510028d854a5241c293a16cbaf90
SHA17671438b4a84e99efc0b80a036ebef834318d575
SHA256bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7
SHA512af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588
-
Filesize
1.2MB
MD59386510028d854a5241c293a16cbaf90
SHA17671438b4a84e99efc0b80a036ebef834318d575
SHA256bc11905ed42badbe8cd313b33c5f0b43c7f9fc780aaa3fa000677b6af76272b7
SHA512af5cc4ed87151854bb7f6f0f021efa5e8cab8da0dbd28776f7a98a4fd4878123ff8da789f804d7b6e34421a8a71d97d174e5078e3dac7d81e43fee242034f588
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.7MB
-
-
Filesize
2.7MB
-
-
-
-
-
-
Filesize
2.7MB
-
Filesize
2.7MB
-
-
-
Filesize
1.1MB
-
Filesize
1.1MB
-
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
Filesize
380KB
-
-
-
-
-
-
-
-
-
-
-
-
