Overview

overview

8

Static

static

20bbe829dc...38.dll

windows7-x64

8

20bbe829dc...38.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    116s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20bbe829dc628e106797958b422d4ebacd29066b6fd5418930a7e42a57546338.dll

  • Size

    96KB

  • MD5

    fc7aa0c1358943f14607b788b2ea7540

  • SHA1

    444ff4c70318d2ed8a5c6a83dd550cf13eac0653

  • SHA256

    20bbe829dc628e106797958b422d4ebacd29066b6fd5418930a7e42a57546338

  • SHA512

    caf5780636ea62fbbb76fa19429bab488b61590f130fe6607082bdf05a3c569819ccd2c05720208d54f4d5a974fe5b9d767a81a432f3f52ab52a1ac551969d9a

  • SSDEEP

    768:EnKl2XOz3sCu+/h29vOYXOhYFtDJOgpg5Rd5WtXhG2yg0rvLp8N:EnKl2oOOYXTFtTCh5Yk2y3jp8N

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\20bbe829dc628e106797958b422d4ebacd29066b6fd5418930a7e42a57546338.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\20bbe829dc628e106797958b422d4ebacd29066b6fd5418930a7e42a57546338.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\instsp2.exe
        C:\Windows\instsp2.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\instsp2.exe > nul
          4⤵
            PID:1704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\instsp2.exe
      Filesize

      9KB

      MD5

      c0a73a33bc9b336e8fa0ea0c9f501b38

      SHA1

      d7dbcd51bd10039303bc993bd582a4bbd29f8904

      SHA256

      fcea9a342f04acae421a4bc59037a8e73b19cc91614ebb08613dfac2f3bc7f14

      SHA512

      6a313be1141f377f15d6765f88f4650fa721982c07f169124a0633fe1c94d4b72e5b66adc9b62d7037f13d8bb54801606f89ae052a6d1e7b6bd6b2674304e859

      Download Submit

    • C:\Windows\instsp2.exe
      Filesize

      9KB

      MD5

      c0a73a33bc9b336e8fa0ea0c9f501b38

      SHA1

      d7dbcd51bd10039303bc993bd582a4bbd29f8904

      SHA256

      fcea9a342f04acae421a4bc59037a8e73b19cc91614ebb08613dfac2f3bc7f14

      SHA512

      6a313be1141f377f15d6765f88f4650fa721982c07f169124a0633fe1c94d4b72e5b66adc9b62d7037f13d8bb54801606f89ae052a6d1e7b6bd6b2674304e859

      Download Submit

    • memory/320-61-0x00000000003E0000-0x000000000040C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1272-55-0x0000000076651000-0x0000000076653000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1272-60-0x0000000000230000-0x000000000025C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1272-59-0x0000000000230000-0x000000000025C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1272-62-0x0000000000230000-0x000000000025C000-memory.dmp

      Filesize

      176KB

      Download