Analysis
-
max time kernel
92s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 10:57
Static task
static1
Behavioral task
behavioral1
Sample
a5b5dc987c6253c340bb1c8750232ed68fb6c2310866f301cbb732867116a889.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a5b5dc987c6253c340bb1c8750232ed68fb6c2310866f301cbb732867116a889.dll
Resource
win10v2004-20220812-en
General
-
Target
a5b5dc987c6253c340bb1c8750232ed68fb6c2310866f301cbb732867116a889.dll
-
Size
42KB
-
MD5
69ce78e89e8021b42bc29b34f0c71766
-
SHA1
c2c68c22e0f974df3aeec699b049a82ef041f9ff
-
SHA256
a5b5dc987c6253c340bb1c8750232ed68fb6c2310866f301cbb732867116a889
-
SHA512
ff3cab148b692c3d539c3493372844ffb34f973200d2e793c2212d4105a75492862693b4f3af2948d17a9736766bde138de50336c31d83f4cd60423ae10cadec
-
SSDEEP
768:2V0cFveqh35ob8AQThq7wr8Ns+HVvED8esyNP0I1QtYOscwe:T9q3Kb8rhqEr8HVvED8el1Qt4
Malware Config
Signatures
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddConnect.tif => C:\Users\Admin\Pictures\AddConnect.tif.kphjxvi rundll32.exe File opened for modification C:\Users\Admin\Pictures\DenyInitialize.tiff rundll32.exe File renamed C:\Users\Admin\Pictures\DenyInitialize.tiff => C:\Users\Admin\Pictures\DenyInitialize.tiff.kphjxvi rundll32.exe File renamed C:\Users\Admin\Pictures\SwitchFind.tif => C:\Users\Admin\Pictures\SwitchFind.tif.kphjxvi rundll32.exe File renamed C:\Users\Admin\Pictures\CompleteHide.raw => C:\Users\Admin\Pictures\CompleteHide.raw.kphjxvi rundll32.exe File renamed C:\Users\Admin\Pictures\SwitchInstall.crw => C:\Users\Admin\Pictures\SwitchInstall.crw.kphjxvi rundll32.exe File renamed C:\Users\Admin\Pictures\UninstallSave.raw => C:\Users\Admin\Pictures\UninstallSave.raw.kphjxvi rundll32.exe -
Modifies registry class 6 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/qqslslhj.dcj" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/xgtzrdwlvctg.dcj" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\ms-settings rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exefodhelper.execmd.exefodhelper.exedescription pid process target process PID 908 wrote to memory of 3800 908 cmd.exe fodhelper.exe PID 908 wrote to memory of 3800 908 cmd.exe fodhelper.exe PID 3800 wrote to memory of 1940 3800 fodhelper.exe wscript.exe PID 3800 wrote to memory of 1940 3800 fodhelper.exe wscript.exe PID 3264 wrote to memory of 3012 3264 cmd.exe fodhelper.exe PID 3264 wrote to memory of 3012 3264 cmd.exe fodhelper.exe PID 3012 wrote to memory of 3744 3012 fodhelper.exe wscript.exe PID 3012 wrote to memory of 3744 3012 fodhelper.exe wscript.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5b5dc987c6253c340bb1c8750232ed68fb6c2310866f301cbb732867116a889.dll,#11⤵
- Modifies extensions of user files
- Modifies registry class
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/xgtzrdwlvctg.dcj4⤵
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/qqslslhj.dcj4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1940-135-0x0000000000000000-mapping.dmp
-
memory/3012-136-0x0000000000000000-mapping.dmp
-
memory/3744-137-0x0000000000000000-mapping.dmp
-
memory/3800-134-0x0000000000000000-mapping.dmp
-
memory/4764-132-0x0000000180000000-0x000000018000E000-memory.dmpFilesize
56KB
-
memory/4764-133-0x000001E9F1690000-0x000001E9F169A000-memory.dmpFilesize
40KB