99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440

General

Target

99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe
Size

183KB
MD5

a060d46100153671c7755e322c8ef05c
SHA1

c93f45bb67d18cfe81bef57a760c76cfbc5cf89e
SHA256

99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440
SHA512

2e525bdc6046cd8d36edcf0a4f3b0bb2d972c3e1c577fbc46c4906d780e0013a7a1561173fb2620f3e94f7a613fb1b1ef57a42611e238dcaae7abeb65702c231
SSDEEP

3072:IgXdZt9P6D3XJbCitG3Iv6MLSaJa93Yvut38WEZgg1P2kJxKOEsdYPe7q8lHr6uC:Ie344itCIyXa4OGtsWEZz1OkJ4adYPyG

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	844	rundll32.exe
8	844	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
844	rundll32.exe
844	rundll32.exe
844	rundll32.exe
844	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1660	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
844	rundll32.exe
844	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 844	1172	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	28
PID 1172 wrote to memory of 844	1172	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	28
PID 1172 wrote to memory of 844	1172	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	28
PID 1172 wrote to memory of 844	1172	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	28
PID 1172 wrote to memory of 844	1172	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	28
PID 1172 wrote to memory of 844	1172	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	28
PID 1172 wrote to memory of 844	1172	99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe	28
PID 844 wrote to memory of 816	844	rundll32.exe	32
PID 844 wrote to memory of 816	844	rundll32.exe	32
PID 844 wrote to memory of 816	844	rundll32.exe	32
PID 844 wrote to memory of 816	844	rundll32.exe	32
PID 816 wrote to memory of 1660	816	cmd.exe	34
PID 816 wrote to memory of 1660	816	cmd.exe	34
PID 816 wrote to memory of 1660	816	cmd.exe	34
PID 816 wrote to memory of 1660	816	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe
"C:\Users\Admin\AppData\Local\Temp\99aef322902567d402e384e6e9ea82e093214ca5144df1190106931eec687440.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\miniloader.dll",Install C:\Users\Admin\AppData\Local\Temp\activate.dat
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\miniloader.dll" >> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\activate.dat

Filesize
1024B

MD5
9ebe4d6ec650231fe222ca35193ce058

SHA1
7c54c2d74bc9eb88cfba7689f2d0b826a5615827

SHA256
f9e7dcf1a99f1c1412e56039c7c6130133696a7e090315f329cf14f6c468a81b

SHA512
f1272b7b528d57b55986d66f6ed96c166187f3cdbd50a0098f916fcf1ea9a654860903831d71edd81855fa12a52bfd5bff7b144eb7eaab66d51f67086c192b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
192KB

MD5
c231cd57c8c6ca8e4215d20d46b265bf

SHA1
2b0853c6b42c080d54e197bb75758300db8fe1f2

SHA256
5a2dc25042efefb5c099296cb37cccb237aee9197865435676c1b87b16de8225

SHA512
80f4fdbccb9e24b1dee487eb67c35b780a994aca301af282993d82e7de684adf77e653fcd77709305694ed10257bc67883385df68ed42fbae8560282ce7ba9cc

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
192KB

MD5
c231cd57c8c6ca8e4215d20d46b265bf

SHA1
2b0853c6b42c080d54e197bb75758300db8fe1f2

SHA256
5a2dc25042efefb5c099296cb37cccb237aee9197865435676c1b87b16de8225

SHA512
80f4fdbccb9e24b1dee487eb67c35b780a994aca301af282993d82e7de684adf77e653fcd77709305694ed10257bc67883385df68ed42fbae8560282ce7ba9cc

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
192KB

MD5
c231cd57c8c6ca8e4215d20d46b265bf

SHA1
2b0853c6b42c080d54e197bb75758300db8fe1f2

SHA256
5a2dc25042efefb5c099296cb37cccb237aee9197865435676c1b87b16de8225

SHA512
80f4fdbccb9e24b1dee487eb67c35b780a994aca301af282993d82e7de684adf77e653fcd77709305694ed10257bc67883385df68ed42fbae8560282ce7ba9cc

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
192KB

MD5
c231cd57c8c6ca8e4215d20d46b265bf

SHA1
2b0853c6b42c080d54e197bb75758300db8fe1f2

SHA256
5a2dc25042efefb5c099296cb37cccb237aee9197865435676c1b87b16de8225

SHA512
80f4fdbccb9e24b1dee487eb67c35b780a994aca301af282993d82e7de684adf77e653fcd77709305694ed10257bc67883385df68ed42fbae8560282ce7ba9cc

Download Submit
\Users\Admin\AppData\Local\Temp\miniloader.dll

Filesize
192KB

MD5
c231cd57c8c6ca8e4215d20d46b265bf

SHA1
2b0853c6b42c080d54e197bb75758300db8fe1f2

SHA256
5a2dc25042efefb5c099296cb37cccb237aee9197865435676c1b87b16de8225

SHA512
80f4fdbccb9e24b1dee487eb67c35b780a994aca301af282993d82e7de684adf77e653fcd77709305694ed10257bc67883385df68ed42fbae8560282ce7ba9cc

Download Submit
memory/816-68-0x0000000000000000-mapping.dmp

Download
memory/844-62-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/844-64-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/844-67-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/844-55-0x0000000000000000-mapping.dmp

Download
memory/1172-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1660-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing