Analysis
-
max time kernel
41s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 05:59
Static task
static1
Behavioral task
behavioral1
Sample
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe
Resource
win10v2004-20221111-en
General
-
Target
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe
-
Size
69KB
-
MD5
59de701fe87acd8863e5175d6f33cd1b
-
SHA1
04795374816358bbdd9015ba77abdc1ca6a84065
-
SHA256
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda
-
SHA512
11315ae8778f1f713979106668a2b5945bab6e8ad28d0ed7f0be2a7113b23c4851470730938dc74a378c482de9c7365f128233ce725f5af7668aad83cdf903ba
-
SSDEEP
1536:2lB+r9Byk/wG4N94T0rXJx3aGGRWoHMEEFEo6:+B+rqltgHMEEFEo6
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 6 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\savec32.dll acprotect \Windows\SysWOW64\savec32.dll acprotect \Windows\SysWOW64\savec32.dll acprotect \Windows\SysWOW64\savec32.dll acprotect \Windows\SysWOW64\savec32.dll acprotect behavioral1/memory/1080-63-0x0000000020000000-0x0000000020023000-memory.dmp acprotect -
Processes:
resource yara_rule C:\Windows\SysWOW64\savec32.dll upx \Windows\SysWOW64\savec32.dll upx \Windows\SysWOW64\savec32.dll upx \Windows\SysWOW64\savec32.dll upx \Windows\SysWOW64\savec32.dll upx behavioral1/memory/1080-63-0x0000000020000000-0x0000000020023000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 268 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1080 rundll32.exe 1080 rundll32.exe 1080 rundll32.exe 1080 rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E8FD36B2-A25B-47e3-9477-82557F5F5995} 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe -
Drops file in System32 directory 2 IoCs
Processes:
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exedescription ioc process File created C:\Windows\SysWOW64\ekd.txt 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe File created C:\Windows\SysWOW64\savec32.dll 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe -
Drops file in Windows directory 1 IoCs
Processes:
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exedescription ioc process File created C:\Windows\inform.dat 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe -
Modifies registry class 9 IoCs
Processes:
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\ProgID 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\TypeLib\ = "{54197CBC-3D68-4e8d-8DD2-BD9D50342244}" 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995} 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\InprocServer32 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\InprocServer32\ = "savec32.dll" 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\TypeLib 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\ = "Rmn plugin" 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\InprocServer32\ThreadingModel = "Apartment" 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\ProgID\ = "RITLAB.1" 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exedescription pid process target process PID 1360 wrote to memory of 1080 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe rundll32.exe PID 1360 wrote to memory of 1080 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe rundll32.exe PID 1360 wrote to memory of 1080 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe rundll32.exe PID 1360 wrote to memory of 1080 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe rundll32.exe PID 1360 wrote to memory of 1080 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe rundll32.exe PID 1360 wrote to memory of 1080 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe rundll32.exe PID 1360 wrote to memory of 1080 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe rundll32.exe PID 1360 wrote to memory of 268 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe cmd.exe PID 1360 wrote to memory of 268 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe cmd.exe PID 1360 wrote to memory of 268 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe cmd.exe PID 1360 wrote to memory of 268 1360 89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe"C:\Users\Admin\AppData\Local\Temp\89897675e760194e89e17ec2588f91d1c85aa93d9132c65258db4a87877fadda.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" savec32.dll,InitDll2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\898976~1.EXE >> NUL2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\savec32.dllFilesize
44KB
MD5a7e9dd508c1ed1e7b4af7f1507e9bac5
SHA18c9850e485a42fab8d65bdd4a5c3a014715b3406
SHA25688ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4
SHA512c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94
-
\Windows\SysWOW64\savec32.dllFilesize
44KB
MD5a7e9dd508c1ed1e7b4af7f1507e9bac5
SHA18c9850e485a42fab8d65bdd4a5c3a014715b3406
SHA25688ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4
SHA512c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94
-
\Windows\SysWOW64\savec32.dllFilesize
44KB
MD5a7e9dd508c1ed1e7b4af7f1507e9bac5
SHA18c9850e485a42fab8d65bdd4a5c3a014715b3406
SHA25688ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4
SHA512c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94
-
\Windows\SysWOW64\savec32.dllFilesize
44KB
MD5a7e9dd508c1ed1e7b4af7f1507e9bac5
SHA18c9850e485a42fab8d65bdd4a5c3a014715b3406
SHA25688ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4
SHA512c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94
-
\Windows\SysWOW64\savec32.dllFilesize
44KB
MD5a7e9dd508c1ed1e7b4af7f1507e9bac5
SHA18c9850e485a42fab8d65bdd4a5c3a014715b3406
SHA25688ef17464130d253535a353e5eea57c5156334533500edbf15280f31d49be3b4
SHA512c1ddbbeae9e5767c7035739d461ad552f5371c0514d1c149e79b1091a6d27f2ceefe19ca48e4e508c9718998a806e5a9e66ecfec81292a21d7993529a9503f94
-
memory/268-56-0x0000000000000000-mapping.dmp
-
memory/1080-55-0x0000000000000000-mapping.dmp
-
memory/1080-63-0x0000000020000000-0x0000000020023000-memory.dmpFilesize
140KB
-
memory/1080-64-0x0000000020000000-0x0000000020023000-memory.dmpFilesize
140KB
-
memory/1080-65-0x0000000020000000-0x0000000020023000-memory.dmpFilesize
140KB
-
memory/1360-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB