d0f2e2ebebb045650b6dc3d5ff21857d542d610c3c0676ec8e90c5598c76461c

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0f2e2ebebb045650b6dc3d5ff21857d542d610c3c0676ec8e90c5598c76461c.dll
Size

162KB
MD5

65ccdf17d8b3f47c2035e7ad32c5a530
SHA1

b281bbc6e259cdc8eb2ee0cd401beec01621a24c
SHA256

d0f2e2ebebb045650b6dc3d5ff21857d542d610c3c0676ec8e90c5598c76461c
SHA512

f220a748b397e0a83c09a3cbf589c686ab89cafc6f7dcb54bdb8da452b0cca666c1908d139265b7a8931a0065d192d620d23ec94846d63106fc628c0b2f20477
SSDEEP

3072:a42tGP8HInPLHeknE7BC8I7aN4zt8LRsvUC:a8LHAA8SfOLRsvUC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
616	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
1196	rundll32.exe
616	lsass.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\PROGRA~3\c16467c8955c09e8ce6760c3c016d245d75812ff5d3cd6b056540bbebe2e2f0d.pad	lsass.exe
File opened for modification	C:\PROGRA~3\c16467c8955c09e8ce6760c3c016d245d75812ff5d3cd6b056540bbebe2e2f0d.pad	lsass.exe
File created	C:\PROGRA~3\lsass.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	lsass.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	lsass.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377063646"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34FF0DA1-7519-11ED-A45B-DAC72961D548} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe
616	lsass.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
660	iexplore.exe
660	iexplore.exe
660	iexplore.exe
660	iexplore.exe
660	iexplore.exe
660	iexplore.exe
660	iexplore.exe
660	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
660	iexplore.exe
660	iexplore.exe
1748	IEXPLORE.EXE
1748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1196	1328	rundll32.exe	27
PID 1328 wrote to memory of 1196	1328	rundll32.exe	27
PID 1328 wrote to memory of 1196	1328	rundll32.exe	27
PID 1328 wrote to memory of 1196	1328	rundll32.exe	27
PID 1328 wrote to memory of 1196	1328	rundll32.exe	27
PID 1328 wrote to memory of 1196	1328	rundll32.exe	27
PID 1328 wrote to memory of 1196	1328	rundll32.exe	27
PID 1196 wrote to memory of 616	1196	rundll32.exe	28
PID 1196 wrote to memory of 616	1196	rundll32.exe	28
PID 1196 wrote to memory of 616	1196	rundll32.exe	28
PID 1196 wrote to memory of 616	1196	rundll32.exe	28
PID 616 wrote to memory of 660	616	lsass.exe	29
PID 616 wrote to memory of 660	616	lsass.exe	29
PID 616 wrote to memory of 660	616	lsass.exe	29
PID 616 wrote to memory of 660	616	lsass.exe	29
PID 660 wrote to memory of 1748	660	iexplore.exe	31
PID 660 wrote to memory of 1748	660	iexplore.exe	31
PID 660 wrote to memory of 1748	660	iexplore.exe	31
PID 660 wrote to memory of 1748	660	iexplore.exe	31
PID 660 wrote to memory of 516	660	iexplore.exe	32
PID 660 wrote to memory of 516	660	iexplore.exe	32
PID 660 wrote to memory of 516	660	iexplore.exe	32
PID 616 wrote to memory of 660	616	lsass.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0f2e2ebebb045650b6dc3d5ff21857d542d610c3c0676ec8e90c5598c76461c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0f2e2ebebb045650b6dc3d5ff21857d542d610c3c0676ec8e90c5598c76461c.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\PROGRA~3\lsass.exe
    C:\PROGRA~3\lsass.exe C:\Users\Admin\AppData\Local\Temp\d0f2e2ebebb045650b6dc3d5ff21857d542d610c3c0676ec8e90c5598c76461c.dll,GOF1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:660 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1748
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\lsass.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\PROGRA~3\lsass.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LHU9FRPK.txt

Filesize
603B

MD5
67ce3efd5eed96ffea1f8b432a68a78e

SHA1
e92b2cce7f67da47baf65a9affca309ed1cfe54c

SHA256
e6ff4a59998bd149ef20f616dff8874835b1bb7012ad3720e9027ce08263a54e

SHA512
6d03df09d79de9fa5dcde92d122decdb2ae9b3d7a1f57eac81ff7d9c71c5fa561b58da039843b641cb2814aae7e0c0f1cef9cdc49e898c5015d4267db285fc1f

Download Submit
\PROGRA~3\lsass.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\PROGRA~3\lsass.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/616-62-0x0000000000160000-0x00000000001DB000-memory.dmp

Filesize
492KB

Download
memory/1196-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1196-56-0x00000000001F0000-0x000000000026B000-memory.dmp

Filesize
492KB

Download