b209a79726a0facadc8a530b9fb35a343f4c47b55abe2b142d9c473a46e54029

Analysis

max time kernel
17s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 07:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b209a79726a0facadc8a530b9fb35a343f4c47b55abe2b142d9c473a46e54029.dll
Size

24KB
MD5

ab3df3b722b433b06528cede21df6c20
SHA1

b11fcfa33a623bde554913f1e2557eb951aa5473
SHA256

b209a79726a0facadc8a530b9fb35a343f4c47b55abe2b142d9c473a46e54029
SHA512

25861b0572955c30dfef79b2b5da99f1228c6638d001214fd43aa38f6bcff43aabc099d8a6297ab8f9b62e5940921d3868aac3a7616c01e79fd6cf29390f4c88
SSDEEP

768:9SEulevXbpjPkz70PjPs7qQYkwlJLMoiu:rusDpad7skq2u

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChkDisk.dll	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChkDisk.lnk	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autochk = "rundll32.exe C:\\Windows\\system32\\autochk.dll,_IWMPEvents@16"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\autochk = "rundll32.exe C:\\Users\\Admin\\protect.dll,_IWMPEvents@16"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\autochk.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2008	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2008	2036	rundll32.exe	28
PID 2036 wrote to memory of 2008	2036	rundll32.exe	28
PID 2036 wrote to memory of 2008	2036	rundll32.exe	28
PID 2036 wrote to memory of 2008	2036	rundll32.exe	28
PID 2036 wrote to memory of 2008	2036	rundll32.exe	28
PID 2036 wrote to memory of 2008	2036	rundll32.exe	28
PID 2036 wrote to memory of 2008	2036	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b209a79726a0facadc8a530b9fb35a343f4c47b55abe2b142d9c473a46e54029.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b209a79726a0facadc8a530b9fb35a343f4c47b55abe2b142d9c473a46e54029.dll,#1
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-55-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/2008-56-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2008-57-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2008-59-0x0000000003000000-0x0000000003011000-memory.dmp

Filesize
68KB

Download
memory/2008-58-0x00000000005A8000-0x00000000005B9000-memory.dmp

Filesize
68KB

Download
memory/2008-60-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2008-61-0x0000000003000000-0x0000000003011000-memory.dmp

Filesize
68KB

Download