Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
Resource
win10v2004-20220901-en
General
-
Target
79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe
-
Size
2.2MB
-
MD5
97af5bbe181461dca1858213b4a5b999
-
SHA1
ecd72d0643d87cb4cd5a26e344484d6c0ad4c25e
-
SHA256
79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed
-
SHA512
67ed8e7a0623fce8d3de338f6216de1f99683170383cbef7d9517b8dfffa1c24c1f68af35920b158278f0ef1ad8d83ab9e595315d390f41347bcb4273cbac0e6
-
SSDEEP
49152:txv2nC5RX1OB8+zl4HzNr3LnYJ0Z4JFkQ8BuF:zf11OB8n938+4vV8AF
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
Rundl16.exeTheef2Server.exeRundll16.exewingreporg.exepid process 5096 Rundl16.exe 5040 Theef2Server.exe 1972 Rundll16.exe 3984 wingreporg.exe -
Loads dropped DLL 1 IoCs
Processes:
79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exepid process 3440 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exeTheef2Server.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Standar P2P = "C:\\WINDOWS\\system32\\Rundl16.exe" 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Standar P2P 2 = "C:\\WINDOWS\\system\\Rundl16.exe" 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\demon force = "C:\\WINDOWS\\system32\\1zDm0n1.26Com.exe" 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinEgrep = "C:\\Windows\\wingreporg.exe" Theef2Server.exe -
Drops file in System32 directory 32 IoCs
Processes:
Rundll16.exe79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exeRundl16.exedescription ioc process File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\CynS.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File created C:\Windows\SysWOW64\Rundll16.exe Rundl16.exe File created C:\Windows\SysWOW64\1zDm0n1.26Com.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File opened for modification C:\Windows\SysWOW64\1o.p.1.2F.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File opened for modification C:\Windows\SysWOW64\CynS.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File created C:\Windows\SysWOW64\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundl16.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File opened for modification C:\Windows\SysWOW64\Theef2Server.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File created C:\Windows\SysWOW64\1o.p.1.2F.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Theef2Server.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File opened for modification C:\Windows\SysWOW64\1zDm0n1.26Com.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File opened for modification C:\Windows\SysWOW64\Rundll16.exe Rundl16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File opened for modification C:\Windows\SysWOW64\Rundl16.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File opened for modification C:\Windows\SysWOW64\Patch.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe File created C:\Windows\SysWOW64\Patch.exe 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe File created C:\Windows\SysWOW64\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe\Rundll16.exe Rundll16.exe -
Drops file in Windows directory 2 IoCs
Processes:
Theef2Server.exedescription ioc process File created C:\Windows\wingreporg.exe Theef2Server.exe File opened for modification C:\Windows\wingreporg.exe Theef2Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Rundl16.exeTheef2Server.exeRundll16.exewingreporg.exepid process 5096 Rundl16.exe 5096 Rundl16.exe 5096 Rundl16.exe 5096 Rundl16.exe 5096 Rundl16.exe 5096 Rundl16.exe 5040 Theef2Server.exe 5040 Theef2Server.exe 5040 Theef2Server.exe 5040 Theef2Server.exe 5040 Theef2Server.exe 5040 Theef2Server.exe 5040 Theef2Server.exe 5040 Theef2Server.exe 1972 Rundll16.exe 1972 Rundll16.exe 1972 Rundll16.exe 1972 Rundll16.exe 1972 Rundll16.exe 1972 Rundll16.exe 3984 wingreporg.exe 3984 wingreporg.exe 3984 wingreporg.exe 3984 wingreporg.exe 3984 wingreporg.exe 3984 wingreporg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exeRundl16.exeTheef2Server.exedescription pid process target process PID 3440 wrote to memory of 5096 3440 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Rundl16.exe PID 3440 wrote to memory of 5096 3440 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Rundl16.exe PID 3440 wrote to memory of 5096 3440 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Rundl16.exe PID 3440 wrote to memory of 5040 3440 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Theef2Server.exe PID 3440 wrote to memory of 5040 3440 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Theef2Server.exe PID 3440 wrote to memory of 5040 3440 79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe Theef2Server.exe PID 5096 wrote to memory of 1972 5096 Rundl16.exe Rundll16.exe PID 5096 wrote to memory of 1972 5096 Rundl16.exe Rundll16.exe PID 5096 wrote to memory of 1972 5096 Rundl16.exe Rundll16.exe PID 5040 wrote to memory of 3984 5040 Theef2Server.exe wingreporg.exe PID 5040 wrote to memory of 3984 5040 Theef2Server.exe wingreporg.exe PID 5040 wrote to memory of 3984 5040 Theef2Server.exe wingreporg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe"C:\Users\Admin\AppData\Local\Temp\79e4ee78e53559e351607ea1506dcb8d75cc1dab6354d6216175a6ebc2e077ed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Rundl16.exe"C:\Windows\system32\Rundl16.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Rundll16.exeC:\Windows\system32\Rundll16.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\Theef2Server.exe"C:\Windows\system32\Theef2Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\wingreporg.exeC:\Windows\wingreporg.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gert0.dllFilesize
88KB
MD517f25804018f53627d1edfb3f7407e76
SHA1889fcdd4ac524ea2a2874b4abfbf90160bdbe75e
SHA2567325849786299ff7adf93578947a2ef778f3288d365851ec969f39d11fbeb895
SHA5127703a88a5dd0b848e4789d2a860832aae924a40d6a7099db2669d355c22c7d220ddfe2f36be8099bd04cb428c73b50d1abe95a69aa7749ad3f12889e91583b75
-
C:\Windows\SysWOW64\Rundl16.exeFilesize
258KB
MD5b00d6b141e42e8f99153287f638dc7ef
SHA1e684dbbff1248f034873c883924e133348378a9f
SHA256abab06951d717219c07bff5790bc48efa926aeac1e61cdcc7be9962f18caea09
SHA512ad6154bffb7f7b1e23ca2ccd187cbecacd7ef3430cc543744e6daa9c6d87010483978f478de688f9b596fd56d6e2dc7185e1abdaff334c11b536b9acdce0999d
-
C:\Windows\SysWOW64\Rundl16.exeFilesize
258KB
MD5b00d6b141e42e8f99153287f638dc7ef
SHA1e684dbbff1248f034873c883924e133348378a9f
SHA256abab06951d717219c07bff5790bc48efa926aeac1e61cdcc7be9962f18caea09
SHA512ad6154bffb7f7b1e23ca2ccd187cbecacd7ef3430cc543744e6daa9c6d87010483978f478de688f9b596fd56d6e2dc7185e1abdaff334c11b536b9acdce0999d
-
C:\Windows\SysWOW64\Rundll16.exeFilesize
258KB
MD5b00d6b141e42e8f99153287f638dc7ef
SHA1e684dbbff1248f034873c883924e133348378a9f
SHA256abab06951d717219c07bff5790bc48efa926aeac1e61cdcc7be9962f18caea09
SHA512ad6154bffb7f7b1e23ca2ccd187cbecacd7ef3430cc543744e6daa9c6d87010483978f478de688f9b596fd56d6e2dc7185e1abdaff334c11b536b9acdce0999d
-
C:\Windows\SysWOW64\Rundll16.exeFilesize
258KB
MD5b00d6b141e42e8f99153287f638dc7ef
SHA1e684dbbff1248f034873c883924e133348378a9f
SHA256abab06951d717219c07bff5790bc48efa926aeac1e61cdcc7be9962f18caea09
SHA512ad6154bffb7f7b1e23ca2ccd187cbecacd7ef3430cc543744e6daa9c6d87010483978f478de688f9b596fd56d6e2dc7185e1abdaff334c11b536b9acdce0999d
-
C:\Windows\SysWOW64\Theef2Server.exeFilesize
754KB
MD5ae42ab4f9f84d04947f07166b29b0b2b
SHA18c920099011d905dacbc50b8b532ee22b004778c
SHA2565755fd05ed31fb3a34aab258376b282685e4e5e06143d4eca25b72dc215ba3e9
SHA51228ce458b73fb29a97834c925c524c46bb43ba34ed207626c0f88c183e2de67360fded935d2d66a5fe12ab634c7a61083a18d03f8f36899faf6856d80e2633422
-
C:\Windows\SysWOW64\Theef2Server.exeFilesize
754KB
MD5ae42ab4f9f84d04947f07166b29b0b2b
SHA18c920099011d905dacbc50b8b532ee22b004778c
SHA2565755fd05ed31fb3a34aab258376b282685e4e5e06143d4eca25b72dc215ba3e9
SHA51228ce458b73fb29a97834c925c524c46bb43ba34ed207626c0f88c183e2de67360fded935d2d66a5fe12ab634c7a61083a18d03f8f36899faf6856d80e2633422
-
C:\Windows\wingreporg.exeFilesize
754KB
MD5ae42ab4f9f84d04947f07166b29b0b2b
SHA18c920099011d905dacbc50b8b532ee22b004778c
SHA2565755fd05ed31fb3a34aab258376b282685e4e5e06143d4eca25b72dc215ba3e9
SHA51228ce458b73fb29a97834c925c524c46bb43ba34ed207626c0f88c183e2de67360fded935d2d66a5fe12ab634c7a61083a18d03f8f36899faf6856d80e2633422
-
C:\Windows\wingreporg.exeFilesize
754KB
MD5ae42ab4f9f84d04947f07166b29b0b2b
SHA18c920099011d905dacbc50b8b532ee22b004778c
SHA2565755fd05ed31fb3a34aab258376b282685e4e5e06143d4eca25b72dc215ba3e9
SHA51228ce458b73fb29a97834c925c524c46bb43ba34ed207626c0f88c183e2de67360fded935d2d66a5fe12ab634c7a61083a18d03f8f36899faf6856d80e2633422
-
memory/1972-141-0x0000000000000000-mapping.dmp
-
memory/1972-145-0x0000000000400000-0x000000000046A400-memory.dmpFilesize
425KB
-
memory/3984-146-0x0000000000000000-mapping.dmp
-
memory/3984-149-0x0000000000400000-0x00000000004CC400-memory.dmpFilesize
817KB
-
memory/3984-150-0x0000000000400000-0x00000000004CC400-memory.dmpFilesize
817KB
-
memory/5040-140-0x0000000000400000-0x00000000004CC400-memory.dmpFilesize
817KB
-
memory/5040-135-0x0000000000000000-mapping.dmp
-
memory/5096-144-0x0000000000400000-0x000000000046A400-memory.dmpFilesize
425KB
-
memory/5096-137-0x0000000000400000-0x000000000046A400-memory.dmpFilesize
425KB
-
memory/5096-133-0x0000000000000000-mapping.dmp