b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254

General

Target

b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe
Size

171KB
MD5

db7f7a538f8cd5804bfc676c4418390c
SHA1

229e8cdba95a0c61ab1737fdb2e89854c69f4b0f
SHA256

b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254
SHA512

a7f7795bca7678fcebbb9be0e4ee75176e3778ae7bcc7a2f181532476c8032ee282bffc598778c586d912c7f2ae3da81d28aacd41ab0bfd715da5cd225ed3f84
SSDEEP

3072:DQIURTXJ+MXu4KVzxyb+EmjplSAO4/GUkhg40fkHFmJ3jB:Ds9e4KVQipf84/Mhg4CyFU3N

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1336 rundll32.exe
1336 rundll32.exe
1336 rundll32.exe
1336 rundll32.exe

pid	process
1336	rundll32.exe
1336	rundll32.exe
1336	rundll32.exe
1336	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe = "Rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Adobe\\rnpzvfmr.dll,DllCanUnloadNow"	rundll32.exe
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rundll32.exeRundll32.exe

pid process

1336 rundll32.exe
1600 Rundll32.exe
1600 Rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Rundll32.exe

pid process

1600 Rundll32.exe

pid	process
1336	rundll32.exe
1600	Rundll32.exe
1600	Rundll32.exe

pid	process
1600	Rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exerundll32.exe

description	pid	process	target process
PID 1156 wrote to memory of 1336	1156	b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe	rundll32.exe
PID 1156 wrote to memory of 1336	1156	b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe	rundll32.exe
PID 1156 wrote to memory of 1336	1156	b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe	rundll32.exe
PID 1156 wrote to memory of 1336	1156	b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe	rundll32.exe
PID 1156 wrote to memory of 1336	1156	b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe	rundll32.exe
PID 1156 wrote to memory of 1336	1156	b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe	rundll32.exe
PID 1156 wrote to memory of 1336	1156	b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe	rundll32.exe
PID 1336 wrote to memory of 1600	1336	rundll32.exe	Rundll32.exe
PID 1336 wrote to memory of 1600	1336	rundll32.exe	Rundll32.exe
PID 1336 wrote to memory of 1600	1336	rundll32.exe	Rundll32.exe
PID 1336 wrote to memory of 1600	1336	rundll32.exe	Rundll32.exe
PID 1336 wrote to memory of 1600	1336	rundll32.exe	Rundll32.exe
PID 1336 wrote to memory of 1600	1336	rundll32.exe	Rundll32.exe
PID 1336 wrote to memory of 1600	1336	rundll32.exe	Rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe
"C:\Users\Admin\AppData\Local\Temp\b78302e5cf2569340dba94ada514f6afd5485d32e8e6bd1d872376ab63677254.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\nsoB0BC.tmp\qxmtubdn.dll",DllCanUnloadNow
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\Rundll32.exe
Rundll32.exe C:\Users\Admin\AppData\Local\Adobe\rnpzvfmr.dll,DllCanUnloadNow
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1600

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoB0BC.tmp\qxmtubdn.dll
Filesize
364KB

MD5
b3d890446fa7a0b4513f7c18955201d5

SHA1
ca22e3a4883e932cf4884216291e1b2e9ca1d8c4

SHA256
11d0981a537bd801f59fe42fc94f2e58d7f400dc3fe169ede9202e09940c5cf5

SHA512
78a82d75182e732f07882e18c2dbbbc302fa47c251d4732ba6b97203939b0ed4739c33d5b8861de2d80573df94d3366969c11ddb2a7c333f4c2b44cb696c7991

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB0BC.tmp\qxmtubdn.dll
Filesize
364KB

MD5
b3d890446fa7a0b4513f7c18955201d5

SHA1
ca22e3a4883e932cf4884216291e1b2e9ca1d8c4

SHA256
11d0981a537bd801f59fe42fc94f2e58d7f400dc3fe169ede9202e09940c5cf5

SHA512
78a82d75182e732f07882e18c2dbbbc302fa47c251d4732ba6b97203939b0ed4739c33d5b8861de2d80573df94d3366969c11ddb2a7c333f4c2b44cb696c7991

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB0BC.tmp\qxmtubdn.dll
Filesize
364KB

MD5
b3d890446fa7a0b4513f7c18955201d5

SHA1
ca22e3a4883e932cf4884216291e1b2e9ca1d8c4

SHA256
11d0981a537bd801f59fe42fc94f2e58d7f400dc3fe169ede9202e09940c5cf5

SHA512
78a82d75182e732f07882e18c2dbbbc302fa47c251d4732ba6b97203939b0ed4739c33d5b8861de2d80573df94d3366969c11ddb2a7c333f4c2b44cb696c7991

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB0BC.tmp\qxmtubdn.dll
Filesize
364KB

MD5
b3d890446fa7a0b4513f7c18955201d5

SHA1
ca22e3a4883e932cf4884216291e1b2e9ca1d8c4

SHA256
11d0981a537bd801f59fe42fc94f2e58d7f400dc3fe169ede9202e09940c5cf5

SHA512
78a82d75182e732f07882e18c2dbbbc302fa47c251d4732ba6b97203939b0ed4739c33d5b8861de2d80573df94d3366969c11ddb2a7c333f4c2b44cb696c7991

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB0BC.tmp\qxmtubdn.dll
Filesize
364KB

MD5
b3d890446fa7a0b4513f7c18955201d5

SHA1
ca22e3a4883e932cf4884216291e1b2e9ca1d8c4

SHA256
11d0981a537bd801f59fe42fc94f2e58d7f400dc3fe169ede9202e09940c5cf5

SHA512
78a82d75182e732f07882e18c2dbbbc302fa47c251d4732ba6b97203939b0ed4739c33d5b8861de2d80573df94d3366969c11ddb2a7c333f4c2b44cb696c7991

Download Submit
memory/1156-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1336-55-0x0000000000000000-mapping.dmp

Download
memory/1600-62-0x0000000000000000-mapping.dmp

Download
memory/1600-64-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing