99ffd9707102e89e04ea332b981eadcb8127132c2ef4db464e5e7f09803ee327

Analysis

max time kernel
147s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99ffd9707102e89e04ea332b981eadcb8127132c2ef4db464e5e7f09803ee327.dll
Size

528KB
MD5

6ba8bb535e41226bf4639b5d50a52ec6
SHA1

6345a328dc0e341e05cce3131ef431e565a5f359
SHA256

99ffd9707102e89e04ea332b981eadcb8127132c2ef4db464e5e7f09803ee327
SHA512

b53d500a6f9a0ad8f593afcee037d3aa5c06c6ae2ffe43b6cd8f316df39a921465136b088d338d27b61dfc596fb50e7860c960a018ba8b2138b84b2288c4db15
SSDEEP

12288:mOPSzJ0XMoKUycUJTZAbW9tuKc4yxqXr7bFdm5Uf01p8kkoT:mOPSzJ0XMoRycuRruKc4wqXjFM5Uc1pL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
1940	netview.exe
1472	netview.exe
660	netview.exe
1412	netview.exe
1484	netview.exe
1820	netview.exe
1464	netview.exe
1696	netview.exe
1544	netview.exe
1676	netview.exe
744	netview.exe
1752	netview.exe
1524	netview.exe

Loads dropped DLL 2 IoCs

pid	Process
1112	rundll32.exe
1940	netview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	netview.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1112	1768	rundll32.exe	27
PID 1768 wrote to memory of 1112	1768	rundll32.exe	27
PID 1768 wrote to memory of 1112	1768	rundll32.exe	27
PID 1768 wrote to memory of 1112	1768	rundll32.exe	27
PID 1768 wrote to memory of 1112	1768	rundll32.exe	27
PID 1768 wrote to memory of 1112	1768	rundll32.exe	27
PID 1768 wrote to memory of 1112	1768	rundll32.exe	27
PID 1112 wrote to memory of 1940	1112	rundll32.exe	28
PID 1112 wrote to memory of 1940	1112	rundll32.exe	28
PID 1112 wrote to memory of 1940	1112	rundll32.exe	28
PID 1112 wrote to memory of 1940	1112	rundll32.exe	28
PID 1112 wrote to memory of 1472	1112	rundll32.exe	29
PID 1112 wrote to memory of 1472	1112	rundll32.exe	29
PID 1112 wrote to memory of 1472	1112	rundll32.exe	29
PID 1112 wrote to memory of 1472	1112	rundll32.exe	29
PID 1112 wrote to memory of 660	1112	rundll32.exe	30
PID 1112 wrote to memory of 660	1112	rundll32.exe	30
PID 1112 wrote to memory of 660	1112	rundll32.exe	30
PID 1112 wrote to memory of 660	1112	rundll32.exe	30
PID 1112 wrote to memory of 1412	1112	rundll32.exe	31
PID 1112 wrote to memory of 1412	1112	rundll32.exe	31
PID 1112 wrote to memory of 1412	1112	rundll32.exe	31
PID 1112 wrote to memory of 1412	1112	rundll32.exe	31
PID 1112 wrote to memory of 1484	1112	rundll32.exe	32
PID 1112 wrote to memory of 1484	1112	rundll32.exe	32
PID 1112 wrote to memory of 1484	1112	rundll32.exe	32
PID 1112 wrote to memory of 1484	1112	rundll32.exe	32
PID 1112 wrote to memory of 1820	1112	rundll32.exe	33
PID 1112 wrote to memory of 1820	1112	rundll32.exe	33
PID 1112 wrote to memory of 1820	1112	rundll32.exe	33
PID 1112 wrote to memory of 1820	1112	rundll32.exe	33
PID 1112 wrote to memory of 1464	1112	rundll32.exe	34
PID 1112 wrote to memory of 1464	1112	rundll32.exe	34
PID 1112 wrote to memory of 1464	1112	rundll32.exe	34
PID 1112 wrote to memory of 1464	1112	rundll32.exe	34
PID 1112 wrote to memory of 1696	1112	rundll32.exe	35
PID 1112 wrote to memory of 1696	1112	rundll32.exe	35
PID 1112 wrote to memory of 1696	1112	rundll32.exe	35
PID 1112 wrote to memory of 1696	1112	rundll32.exe	35
PID 1112 wrote to memory of 1544	1112	rundll32.exe	36
PID 1112 wrote to memory of 1544	1112	rundll32.exe	36
PID 1112 wrote to memory of 1544	1112	rundll32.exe	36
PID 1112 wrote to memory of 1544	1112	rundll32.exe	36
PID 1112 wrote to memory of 1676	1112	rundll32.exe	37
PID 1112 wrote to memory of 1676	1112	rundll32.exe	37
PID 1112 wrote to memory of 1676	1112	rundll32.exe	37
PID 1112 wrote to memory of 1676	1112	rundll32.exe	37
PID 1112 wrote to memory of 744	1112	rundll32.exe	38
PID 1112 wrote to memory of 744	1112	rundll32.exe	38
PID 1112 wrote to memory of 744	1112	rundll32.exe	38
PID 1112 wrote to memory of 744	1112	rundll32.exe	38
PID 1112 wrote to memory of 1752	1112	rundll32.exe	39
PID 1112 wrote to memory of 1752	1112	rundll32.exe	39
PID 1112 wrote to memory of 1752	1112	rundll32.exe	39
PID 1112 wrote to memory of 1752	1112	rundll32.exe	39
PID 1112 wrote to memory of 1524	1112	rundll32.exe	40
PID 1112 wrote to memory of 1524	1112	rundll32.exe	40
PID 1112 wrote to memory of 1524	1112	rundll32.exe	40
PID 1112 wrote to memory of 1524	1112	rundll32.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\99ffd9707102e89e04ea332b981eadcb8127132c2ef4db464e5e7f09803ee327.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\99ffd9707102e89e04ea332b981eadcb8127132c2ef4db464e5e7f09803ee327.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1472
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:660
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1412
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1820
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1464
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1544
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1676
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:744
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1752
- - C:\Users\Admin\Documents\netview.exe
    C:\Users\Admin\Documents\netview.exe
    3⤵
    - Executes dropped EXE
    PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\360netview.dll

Filesize
48KB

MD5
792ced8659162ab90d80c9da05de1b7f

SHA1
a975c7170144e1a913ced772ecb640e322a6069a

SHA256
ad0d41b5731c06ce6d1f1f94f44cbbfa6f74b8c6a4a4f4c6eb8d3e39a4e8aaad

SHA512
110d2ad8ca5c4e0023e6b1410d6a6ba6b8b709ca03c1b80655f67ea579faefe972261234e006a7402936de9e3c42113a8d7567860eff1b35c68137b3e98c3be8

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
C:\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
\Users\Admin\Documents\360netview.dll

Filesize
48KB

MD5
792ced8659162ab90d80c9da05de1b7f

SHA1
a975c7170144e1a913ced772ecb640e322a6069a

SHA256
ad0d41b5731c06ce6d1f1f94f44cbbfa6f74b8c6a4a4f4c6eb8d3e39a4e8aaad

SHA512
110d2ad8ca5c4e0023e6b1410d6a6ba6b8b709ca03c1b80655f67ea579faefe972261234e006a7402936de9e3c42113a8d7567860eff1b35c68137b3e98c3be8

Download Submit
\Users\Admin\Documents\netview.exe

Filesize
361KB

MD5
dbc645e0b232f5f59103494dc8522068

SHA1
e212303ec5ddff27732dfdff9df38e9458477cab

SHA256
141514af5bc57c17717c58fc6bd372fca4c51740c005b798585bdc6fb2d73d26

SHA512
c71e1ef44229eb6c0e660ab94418aac54c5d34de079b27fcda1544445d6a006f47ad31bb773b27a99af06e5f95aecf716e77e500780e944ca774067161898991

Download Submit
memory/1112-55-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download