efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b

General

Target

efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe
Size

3.6MB
MD5

2e6eef8998ce9fb18e16ae66200c86e9
SHA1

a1536afd9eb239630986af815e70cf8307b6f23d
SHA256

efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b
SHA512

7408eb8848df553227fb8c7029fbe3502f118be0914be97766cdb4e8c553c8d20b73b7ab9683dc4f6a673b9e0e4d3f242250195d680b862634ae370ee18b0208
SSDEEP

3072:dznH3g9O5h9jyrDUHsF1w5VqW9W/QZ16Polx0sf9mrjREsD:dznH3bPN69U54KWYZ16PoMlPD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1244	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
1244	rundll32.exe
720	rundll32.exe
720	rundll32.exe
720	rundll32.exe
720	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bak8011252.log	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsUpdate\ControlPanel.cpl	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe
File opened for modification	C:\Program Files\Realtek\EditorsUI.dll	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe
File created	C:\Program Files\WindowsUpdate\360safe.exe	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe
File opened for modification	C:\Program Files\WindowsUpdate\360safe.exe	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32\ = "="	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}\LocalServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7C9975-ECA1-4190-B0EB-E37BC5E40893}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe
1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe
1244	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe
720	rundll32.exe
1244	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1244	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	28
PID 1484 wrote to memory of 1244	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	28
PID 1484 wrote to memory of 1244	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	28
PID 1484 wrote to memory of 1244	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	28
PID 1484 wrote to memory of 1244	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	28
PID 1484 wrote to memory of 1244	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	28
PID 1484 wrote to memory of 1244	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	28
PID 1484 wrote to memory of 720	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	30
PID 1484 wrote to memory of 720	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	30
PID 1484 wrote to memory of 720	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	30
PID 1484 wrote to memory of 720	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	30
PID 1484 wrote to memory of 720	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	30
PID 1484 wrote to memory of 720	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	30
PID 1484 wrote to memory of 720	1484	efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe	30

C:\Users\Admin\AppData\Local\Temp\efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe
"C:\Users\Admin\AppData\Local\Temp\efcd3910ba8e4704947e6ba0567cd77229626ad634024c6bc6ad6b5ea49a578b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\windows\SysWOW64\rundll32.exe
  C:\windows\system32\rundll32.exe C:\PROGRA~1\WIFE7F~1\CONTRO~1.CPL comdl2
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1244
- C:\windows\SysWOW64\rundll32.exe
  C:\windows\system32\rundll32.exe C:\PROGRA~1\Realtek\EDITOR~1.DLL comdl2
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:720

C:\Windows\System32\svchost.exe
C:\Windows\\System32\\svchost.exe -k netsvcs
1⤵
PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\WIFE7F~1\CONTRO~1.CPL

Filesize
30.2MB

MD5
cfacdf18177cf63251cccb50fe21d5b6

SHA1
52e6abf6b200a44524177fedd8e6e9681c5c9521

SHA256
bcf8c3113aac4ef239c98a48277f7b19026bd951f483d0a149684d0a86a08009

SHA512
f77e12b07bc2dd5f940642dd5f8e065003cb453fafe709b798a0a8bcf519f51c5389c6546b73bdcd7b197362fe2319db68ceb6a7bf8e541c728bd1070a4cd366

Download Submit
C:\Windows\SysWOW64\bak8011252.log

Filesize
102B

MD5
78cb3535270a8af6b55f4b92718636f6

SHA1
1167a1f40267aa8371df37fe6afb0d31d9957928

SHA256
e0fdf28aa46063b8477077d958b85b2c2136f0af05861ca998a8620801a3519f

SHA512
c76644df43eb97c18980fd503b35b61121af6342425160b0f3d1302d49c006cdd846cfc20e7c49f9a6ea266561dd826f9d4c40104155360392ba2340d73b38c0

Download Submit
\??\c:\program files\realtek\editorsui.dll

Filesize
30.2MB

MD5
cfacdf18177cf63251cccb50fe21d5b6

SHA1
52e6abf6b200a44524177fedd8e6e9681c5c9521

SHA256
bcf8c3113aac4ef239c98a48277f7b19026bd951f483d0a149684d0a86a08009

SHA512
f77e12b07bc2dd5f940642dd5f8e065003cb453fafe709b798a0a8bcf519f51c5389c6546b73bdcd7b197362fe2319db68ceb6a7bf8e541c728bd1070a4cd366

Download Submit
\PROGRA~1\WIFE7F~1\CONTRO~1.CPL

Filesize
30.2MB

MD5
cfacdf18177cf63251cccb50fe21d5b6

SHA1
52e6abf6b200a44524177fedd8e6e9681c5c9521

SHA256
bcf8c3113aac4ef239c98a48277f7b19026bd951f483d0a149684d0a86a08009

SHA512
f77e12b07bc2dd5f940642dd5f8e065003cb453fafe709b798a0a8bcf519f51c5389c6546b73bdcd7b197362fe2319db68ceb6a7bf8e541c728bd1070a4cd366

Download Submit
\Program Files\Realtek\EditorsUI.dll

Filesize
30.2MB

MD5
cfacdf18177cf63251cccb50fe21d5b6

SHA1
52e6abf6b200a44524177fedd8e6e9681c5c9521

SHA256
bcf8c3113aac4ef239c98a48277f7b19026bd951f483d0a149684d0a86a08009

SHA512
f77e12b07bc2dd5f940642dd5f8e065003cb453fafe709b798a0a8bcf519f51c5389c6546b73bdcd7b197362fe2319db68ceb6a7bf8e541c728bd1070a4cd366

Download Submit
\Program Files\Realtek\EditorsUI.dll

Filesize
30.2MB

MD5
cfacdf18177cf63251cccb50fe21d5b6

SHA1
52e6abf6b200a44524177fedd8e6e9681c5c9521

SHA256
bcf8c3113aac4ef239c98a48277f7b19026bd951f483d0a149684d0a86a08009

SHA512
f77e12b07bc2dd5f940642dd5f8e065003cb453fafe709b798a0a8bcf519f51c5389c6546b73bdcd7b197362fe2319db68ceb6a7bf8e541c728bd1070a4cd366

Download Submit
\Program Files\Realtek\EditorsUI.dll

Filesize
30.2MB

MD5
cfacdf18177cf63251cccb50fe21d5b6

SHA1
52e6abf6b200a44524177fedd8e6e9681c5c9521

SHA256
bcf8c3113aac4ef239c98a48277f7b19026bd951f483d0a149684d0a86a08009

SHA512
f77e12b07bc2dd5f940642dd5f8e065003cb453fafe709b798a0a8bcf519f51c5389c6546b73bdcd7b197362fe2319db68ceb6a7bf8e541c728bd1070a4cd366

Download Submit
\Program Files\Realtek\EditorsUI.dll

Filesize
30.2MB

MD5
cfacdf18177cf63251cccb50fe21d5b6

SHA1
52e6abf6b200a44524177fedd8e6e9681c5c9521

SHA256
bcf8c3113aac4ef239c98a48277f7b19026bd951f483d0a149684d0a86a08009

SHA512
f77e12b07bc2dd5f940642dd5f8e065003cb453fafe709b798a0a8bcf519f51c5389c6546b73bdcd7b197362fe2319db68ceb6a7bf8e541c728bd1070a4cd366

Download Submit
memory/1484-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1484-56-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing