Overview

overview

8

Static

static

a5b5dc987c...89.dll

windows7-x64

1

a5b5dc987c...89.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5b5dc987c6253c340bb1c8750232ed68fb6c2310866f301cbb732867116a889.dll

  • Size

    42KB

  • MD5

    69ce78e89e8021b42bc29b34f0c71766

  • SHA1

    c2c68c22e0f974df3aeec699b049a82ef041f9ff

  • SHA256

    a5b5dc987c6253c340bb1c8750232ed68fb6c2310866f301cbb732867116a889

  • SHA512

    ff3cab148b692c3d539c3493372844ffb34f973200d2e793c2212d4105a75492862693b4f3af2948d17a9736766bde138de50336c31d83f4cd60423ae10cadec

  • SSDEEP

    768:2V0cFveqh35ob8AQThq7wr8Ns+HVvED8esyNP0I1QtYOscwe:T9q3Kb8rhqEr8HVvED8el1Qt4

Score
8/10
ransomware

Malware Config

Signatures

  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5b5dc987c6253c340bb1c8750232ed68fb6c2310866f301cbb732867116a889.dll,#1
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    PID:4764
    • C:\Windows\System32\cmd.exe
      /c fodhelper.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Windows\system32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3800
        • C:\Windows\system32\wscript.exe
          "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/xgtzrdwlvctg.dcj
          4⤵
            PID:1940
      • C:\Windows\System32\cmd.exe
        /c fodhelper.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3264
        • C:\Windows\system32\fodhelper.exe
          fodhelper.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\system32\wscript.exe
            "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/qqslslhj.dcj
            4⤵
              PID:3744

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1940-135-0x0000000000000000-mapping.dmp
        Download
      • memory/3012-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3744-137-0x0000000000000000-mapping.dmp
        Download
      • memory/3800-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4764-132-0x0000000180000000-0x000000018000E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4764-133-0x000001E9F1690000-0x000001E9F169A000-memory.dmp
        Filesize

        40KB

        Download