79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
Size

2.2MB
MD5

97af5bbe181461dca1858213b4a5b999
SHA1

ecd72d0643d87cb4cd5a26e344484d6c0ad4c25e
SHA256

79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed
SHA512

67ed8e7a0623fce8d3de338f6216de1f99683170383cbef7d9517b8dfffa1c24c1f68af35920b158278f0ef1ad8d83ab9e595315d390f41347bcb4273cbac0e6
SSDEEP

49152:txv2nC5RX1OB8+zl4HzNr3LnYJ0Z4JFkQ8BuF:zf11OB8n938+4vV8AF

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Rundl16.exeTheef2Server.exeRundll16.exewingreporg.exe

pid process

5096 Rundl16.exe
5040 Theef2Server.exe
1972 Rundll16.exe
3984 wingreporg.exe
Loads dropped DLL 1 IoCs

Processes:

79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe

pid process

3440 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe

pid	process
3440	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exeTheef2Server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Standar P2P = "C:\\WINDOWS\\system32\\Rundl16.exe"	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Standar P2P 2 = "C:\\WINDOWS\\system\\Rundl16.exe"	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\demon force = "C:\\WINDOWS\\system32\\1zDm0n1.26Com.exe"	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinEgrep = "C:\\Windows\\wingreporg.exe"	Theef2Server.exe

Drops file in System32 directory 32 IoCs

Processes:

Rundll16.exe79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exeRundl16.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\CynS.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File created	C:\Windows\SysWOW64\Rundll16.exe	Rundl16.exe
File created	C:\Windows\SysWOW64\1zDm0n1.26Com.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File opened for modification	C:\Windows\SysWOW64\1o.p.1.2F.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File opened for modification	C:\Windows\SysWOW64\CynS.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File created	C:\Windows\SysWOW64\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundl16.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File opened for modification	C:\Windows\SysWOW64\Theef2Server.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File created	C:\Windows\SysWOW64\1o.p.1.2F.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Theef2Server.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File opened for modification	C:\Windows\SysWOW64\1zDm0n1.26Com.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File opened for modification	C:\Windows\SysWOW64\Rundll16.exe	Rundl16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File opened for modification	C:\Windows\SysWOW64\Rundl16.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File opened for modification	C:\Windows\SysWOW64\Patch.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe
File created	C:\Windows\SysWOW64\Patch.exe	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
File created	C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe	Rundll16.exe

Drops file in Windows directory 2 IoCs

Processes:

Theef2Server.exe

description ioc process

File created C:\Windows\wingreporg.exe Theef2Server.exe
File opened for modification C:\Windows\wingreporg.exe Theef2Server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\wingreporg.exe	Theef2Server.exe
File opened for modification	C:\Windows\wingreporg.exe	Theef2Server.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Rundl16.exeTheef2Server.exeRundll16.exewingreporg.exe

pid	process
5096	Rundl16.exe
5096	Rundl16.exe
5096	Rundl16.exe
5096	Rundl16.exe
5096	Rundl16.exe
5096	Rundl16.exe
5040	Theef2Server.exe
5040	Theef2Server.exe
5040	Theef2Server.exe
5040	Theef2Server.exe
5040	Theef2Server.exe
5040	Theef2Server.exe
5040	Theef2Server.exe
5040	Theef2Server.exe
1972	Rundll16.exe
1972	Rundll16.exe
1972	Rundll16.exe
1972	Rundll16.exe
1972	Rundll16.exe
1972	Rundll16.exe
3984	wingreporg.exe
3984	wingreporg.exe
3984	wingreporg.exe
3984	wingreporg.exe
3984	wingreporg.exe
3984	wingreporg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exeRundl16.exeTheef2Server.exe

description	pid	process	target process
PID 3440 wrote to memory of 5096	3440	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe	Rundl16.exe
PID 3440 wrote to memory of 5096	3440	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe	Rundl16.exe
PID 3440 wrote to memory of 5096	3440	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe	Rundl16.exe
PID 3440 wrote to memory of 5040	3440	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe	Theef2Server.exe
PID 3440 wrote to memory of 5040	3440	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe	Theef2Server.exe
PID 3440 wrote to memory of 5040	3440	79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe	Theef2Server.exe
PID 5096 wrote to memory of 1972	5096	Rundl16.exe	Rundll16.exe
PID 5096 wrote to memory of 1972	5096	Rundl16.exe	Rundll16.exe
PID 5096 wrote to memory of 1972	5096	Rundl16.exe	Rundll16.exe
PID 5040 wrote to memory of 3984	5040	Theef2Server.exe	wingreporg.exe
PID 5040 wrote to memory of 3984	5040	Theef2Server.exe	wingreporg.exe
PID 5040 wrote to memory of 3984	5040	Theef2Server.exe	wingreporg.exe

C:\Users\Admin\AppData\Local\Temp\79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
"C:\Users\Admin\AppData\Local\Temp\79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\Rundl16.exe
"C:\Windows\system32\Rundl16.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\Rundll16.exe
C:\Windows\system32\Rundll16.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\SysWOW64\Theef2Server.exe
"C:\Windows\system32\Theef2Server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\wingreporg.exe
C:\Windows\wingreporg.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gert0.dll
Filesize
88KB

MD5
17f25804018f53627d1edfb3f7407e76

SHA1
889fcdd4ac524ea2a2874b4abfbf90160bdbe75e

SHA256
7325849786299ff7adf93578947a2ef778f3288d365851ec969f39d11fbeb895

SHA512
7703a88a5dd0b848e4789d2a860832aae924a40d6a7099db2669d355c22c7d220ddfe2f36be8099bd04cb428c73b50d1abe95a69aa7749ad3f12889e91583b75

Download Submit
C:\Windows\SysWOW64\Rundl16.exe
Filesize
258KB

MD5
b00d6b141e42e8f99153287f638dc7ef

SHA1
e684dbbff1248f034873c883924e133348378a9f

SHA256
abab06951d717219c07bff5790bc48efa926aeac1e61cdcc7be9962f18caea09

SHA512
ad6154bffb7f7b1e23ca2ccd187cbecacd7ef3430cc543744e6daa9c6d87010483978f478de688f9b596fd56d6e2dc7185e1abdaff334c11b536b9acdce0999d

Download Submit
C:\Windows\SysWOW64\Rundl16.exe
Filesize
258KB

MD5
b00d6b141e42e8f99153287f638dc7ef

SHA1
e684dbbff1248f034873c883924e133348378a9f

SHA256
abab06951d717219c07bff5790bc48efa926aeac1e61cdcc7be9962f18caea09

SHA512
ad6154bffb7f7b1e23ca2ccd187cbecacd7ef3430cc543744e6daa9c6d87010483978f478de688f9b596fd56d6e2dc7185e1abdaff334c11b536b9acdce0999d

Download Submit
C:\Windows\SysWOW64\Rundll16.exe
Filesize
258KB

MD5
b00d6b141e42e8f99153287f638dc7ef

SHA1
e684dbbff1248f034873c883924e133348378a9f

SHA256
abab06951d717219c07bff5790bc48efa926aeac1e61cdcc7be9962f18caea09

SHA512
ad6154bffb7f7b1e23ca2ccd187cbecacd7ef3430cc543744e6daa9c6d87010483978f478de688f9b596fd56d6e2dc7185e1abdaff334c11b536b9acdce0999d

Download Submit
C:\Windows\SysWOW64\Rundll16.exe
Filesize
258KB

MD5
b00d6b141e42e8f99153287f638dc7ef

SHA1
e684dbbff1248f034873c883924e133348378a9f

SHA256
abab06951d717219c07bff5790bc48efa926aeac1e61cdcc7be9962f18caea09

SHA512
ad6154bffb7f7b1e23ca2ccd187cbecacd7ef3430cc543744e6daa9c6d87010483978f478de688f9b596fd56d6e2dc7185e1abdaff334c11b536b9acdce0999d

Download Submit
C:\Windows\SysWOW64\Theef2Server.exe
Filesize
754KB

MD5
ae42ab4f9f84d04947f07166b29b0b2b

SHA1
8c920099011d905dacbc50b8b532ee22b004778c

SHA256
5755fd05ed31fb3a34aab258376b282685e4e5e06143d4eca25b72dc215ba3e9

SHA512
28ce458b73fb29a97834c925c524c46bb43ba34ed207626c0f88c183e2de67360fded935d2d66a5fe12ab634c7a61083a18d03f8f36899faf6856d80e2633422

Download Submit
C:\Windows\SysWOW64\Theef2Server.exe
Filesize
754KB

MD5
ae42ab4f9f84d04947f07166b29b0b2b

SHA1
8c920099011d905dacbc50b8b532ee22b004778c

SHA256
5755fd05ed31fb3a34aab258376b282685e4e5e06143d4eca25b72dc215ba3e9

SHA512
28ce458b73fb29a97834c925c524c46bb43ba34ed207626c0f88c183e2de67360fded935d2d66a5fe12ab634c7a61083a18d03f8f36899faf6856d80e2633422

Download Submit
C:\Windows\wingreporg.exe
Filesize
754KB

MD5
ae42ab4f9f84d04947f07166b29b0b2b

SHA1
8c920099011d905dacbc50b8b532ee22b004778c

SHA256
5755fd05ed31fb3a34aab258376b282685e4e5e06143d4eca25b72dc215ba3e9

SHA512
28ce458b73fb29a97834c925c524c46bb43ba34ed207626c0f88c183e2de67360fded935d2d66a5fe12ab634c7a61083a18d03f8f36899faf6856d80e2633422

Download Submit
C:\Windows\wingreporg.exe
Filesize
754KB

MD5
ae42ab4f9f84d04947f07166b29b0b2b

SHA1
8c920099011d905dacbc50b8b532ee22b004778c

SHA256
5755fd05ed31fb3a34aab258376b282685e4e5e06143d4eca25b72dc215ba3e9

SHA512
28ce458b73fb29a97834c925c524c46bb43ba34ed207626c0f88c183e2de67360fded935d2d66a5fe12ab634c7a61083a18d03f8f36899faf6856d80e2633422

Download Submit
memory/1972-141-0x0000000000000000-mapping.dmp

Download
memory/1972-145-0x0000000000400000-0x000000000046A400-memory.dmp

Filesize
425KB

Download
memory/3984-146-0x0000000000000000-mapping.dmp

Download
memory/3984-149-0x0000000000400000-0x00000000004CC400-memory.dmp

Filesize
817KB

Download
memory/3984-150-0x0000000000400000-0x00000000004CC400-memory.dmp

Filesize
817KB

Download
memory/5040-140-0x0000000000400000-0x00000000004CC400-memory.dmp

Filesize
817KB

Download
memory/5040-135-0x0000000000000000-mapping.dmp

Download
memory/5096-144-0x0000000000400000-0x000000000046A400-memory.dmp

Filesize
425KB

Download
memory/5096-137-0x0000000000400000-0x000000000046A400-memory.dmp

Filesize
425KB

Download
memory/5096-133-0x0000000000000000-mapping.dmp

Download