d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a

Analysis

max time kernel
153s
max time network
172s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe
Size

800KB
MD5

a19beccaa99b5adfe4f6039abbf36dba
SHA1

0fb646d41bf56ee322820490225daf63e7f45312
SHA256

d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a
SHA512

85a0371837d4ea3aec8268bfd5b70ac8495d6c0a7441bb90cbdde798f8ccaf17188a95bad33025a71dc3781b735d5231dfb5a137045f2e9aef2098199fe24713
SSDEEP

12288:XBrKO9NogFi3DAr+OgD1bUMJ73gwWU+Dbwh1eDtFCO/dPDjZK:xrKKoIi31tJtJ73gwzhQSqdPp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2012	fb.Exe
1340	rudyf.exe

Loads dropped DLL 4 IoCs

pid	Process
1184	d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe
1184	d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe
2012	fb.Exe
2012	fb.Exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	rudyf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0BD8EEFB-D129-76C0-0FAD-769CAB550674} = "C:\\Users\\Admin\\AppData\\Roaming\\Ecab\\rudyf.exe"	rudyf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 240	2012	fb.Exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	fb.Exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fb.Exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\2DA936BF-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe
1340	rudyf.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2012	fb.Exe
Token: SeSecurityPrivilege	2012	fb.Exe
Token: SeSecurityPrivilege	240	cmd.exe
Token: SeSecurityPrivilege	240	cmd.exe
Token: SeManageVolumePrivilege	1592	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1592	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1592	WinMail.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1184	d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe
1592	WinMail.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2012	1184	d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe	28
PID 1184 wrote to memory of 2012	1184	d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe	28
PID 1184 wrote to memory of 2012	1184	d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe	28
PID 1184 wrote to memory of 2012	1184	d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe	28
PID 2012 wrote to memory of 1340	2012	fb.Exe	29
PID 2012 wrote to memory of 1340	2012	fb.Exe	29
PID 2012 wrote to memory of 1340	2012	fb.Exe	29
PID 2012 wrote to memory of 1340	2012	fb.Exe	29
PID 1340 wrote to memory of 1132	1340	rudyf.exe	18
PID 1340 wrote to memory of 1132	1340	rudyf.exe	18
PID 1340 wrote to memory of 1132	1340	rudyf.exe	18
PID 1340 wrote to memory of 1132	1340	rudyf.exe	18
PID 1340 wrote to memory of 1132	1340	rudyf.exe	18
PID 1340 wrote to memory of 1192	1340	rudyf.exe	17
PID 1340 wrote to memory of 1192	1340	rudyf.exe	17
PID 1340 wrote to memory of 1192	1340	rudyf.exe	17
PID 1340 wrote to memory of 1192	1340	rudyf.exe	17
PID 1340 wrote to memory of 1192	1340	rudyf.exe	17
PID 1340 wrote to memory of 1268	1340	rudyf.exe	10
PID 1340 wrote to memory of 1268	1340	rudyf.exe	10
PID 1340 wrote to memory of 1268	1340	rudyf.exe	10
PID 1340 wrote to memory of 1268	1340	rudyf.exe	10
PID 1340 wrote to memory of 1268	1340	rudyf.exe	10
PID 1340 wrote to memory of 2012	1340	rudyf.exe	28
PID 1340 wrote to memory of 2012	1340	rudyf.exe	28
PID 1340 wrote to memory of 2012	1340	rudyf.exe	28
PID 1340 wrote to memory of 2012	1340	rudyf.exe	28
PID 1340 wrote to memory of 2012	1340	rudyf.exe	28
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 2012 wrote to memory of 240	2012	fb.Exe	30
PID 1340 wrote to memory of 280	1340	rudyf.exe	31
PID 1340 wrote to memory of 280	1340	rudyf.exe	31
PID 1340 wrote to memory of 280	1340	rudyf.exe	31
PID 1340 wrote to memory of 280	1340	rudyf.exe	31
PID 1340 wrote to memory of 280	1340	rudyf.exe	31
PID 1340 wrote to memory of 1396	1340	rudyf.exe	32
PID 1340 wrote to memory of 1396	1340	rudyf.exe	32
PID 1340 wrote to memory of 1396	1340	rudyf.exe	32
PID 1340 wrote to memory of 1396	1340	rudyf.exe	32
PID 1340 wrote to memory of 1396	1340	rudyf.exe	32
PID 1340 wrote to memory of 1032	1340	rudyf.exe	33
PID 1340 wrote to memory of 1032	1340	rudyf.exe	33
PID 1340 wrote to memory of 1032	1340	rudyf.exe	33
PID 1340 wrote to memory of 1032	1340	rudyf.exe	33
PID 1340 wrote to memory of 1032	1340	rudyf.exe	33
PID 1340 wrote to memory of 1592	1340	rudyf.exe	34
PID 1340 wrote to memory of 1592	1340	rudyf.exe	34
PID 1340 wrote to memory of 1592	1340	rudyf.exe	34
PID 1340 wrote to memory of 1592	1340	rudyf.exe	34
PID 1340 wrote to memory of 1592	1340	rudyf.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe
  "C:\Users\Admin\AppData\Local\Temp\d3dc1cdfb6b10548c3a98cd464e096b0e95bb95435ba136af59a8817c621562a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\fb.Exe
    "C:\Users\Admin\AppData\Local\Temp\fb.Exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Roaming\Ecab\rudyf.exe
      "C:\Users\Admin\AppData\Roaming\Ecab\rudyf.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp49e55b6e.bat"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:240

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-599633321734122105-15489587792102238659-368700900-1303125052-744328874-1346433625"
1⤵
PID:280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1032

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fb.Exe

Filesize
138KB

MD5
e27d8ecbe7e2e4f4d3461b81fa935fdb

SHA1
ac06052003111055e2a93e0f649211183be32e48

SHA256
a1755720aa9514f5bff8ca2d4c843cae702d4f963e4391597451a9cafc3b07b3

SHA512
92faccb34a0b209bc4586d809989de0ea950f08a44ff633afa9be757e18993d1e214296a2209a3dd09c99c3ccae15be7c613987b8f2d551212a387dc0854d007

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb.Exe

Filesize
138KB

MD5
e27d8ecbe7e2e4f4d3461b81fa935fdb

SHA1
ac06052003111055e2a93e0f649211183be32e48

SHA256
a1755720aa9514f5bff8ca2d4c843cae702d4f963e4391597451a9cafc3b07b3

SHA512
92faccb34a0b209bc4586d809989de0ea950f08a44ff633afa9be757e18993d1e214296a2209a3dd09c99c3ccae15be7c613987b8f2d551212a387dc0854d007

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp49e55b6e.bat

Filesize
183B

MD5
99ecff89635959a6033cc1544b3ac637

SHA1
1deaf55c895b0023495fd7e2ccd92e3a86d48ba2

SHA256
2b6691791b56952da42ac8adec412045f9bf4bbbf4cdebd4e81e8e198701e493

SHA512
3e0652dcdbe360a66d308022dacd229967138e370681ddcfda33da72b737316fa49a38555661f49b509f0ed5db05f3b8be7cba28bb3e23766981f20b71c0120d

Download Submit
C:\Users\Admin\AppData\Roaming\Ecab\rudyf.exe

Filesize
138KB

MD5
a089acd87c9a2b3bfe3963ee5c08a3bf

SHA1
3b378394a250706bbf4836bd5b00bcee9530b313

SHA256
162f11c940bc750ad26399a6c5b5757f300384b4fa7e72c34962ccd9fe23f02c

SHA512
f5136cc574277c373285b798b12a1bc30de96cc1622675a352d9edee423144daa0cece1bcd0f7a0d8c7d223e20113df7ac0570d1bf7b736a1083a38bca18994d

Download Submit
C:\Users\Admin\AppData\Roaming\Ecab\rudyf.exe

Filesize
138KB

MD5
a089acd87c9a2b3bfe3963ee5c08a3bf

SHA1
3b378394a250706bbf4836bd5b00bcee9530b313

SHA256
162f11c940bc750ad26399a6c5b5757f300384b4fa7e72c34962ccd9fe23f02c

SHA512
f5136cc574277c373285b798b12a1bc30de96cc1622675a352d9edee423144daa0cece1bcd0f7a0d8c7d223e20113df7ac0570d1bf7b736a1083a38bca18994d

Download Submit
C:\Users\Admin\AppData\Roaming\Ewoxx\ikdo.irl

Filesize
336B

MD5
5955eda41d1faad686858a303f1fc2be

SHA1
200f9353428b4a1477e8b07c6d63b5104c77f3fb

SHA256
7a88bc3b05ca4d266b23d59e711b2440f7353c4b25cc9fd66305743c6147044a

SHA512
07822d05f110509318e05ea80c46b67c2de7c944c3fbe3d280c96273a66ce5c2b15a0cbdf1a4da76f3a5439c1d91ffaaf1e4af78944db94e7a67742bd6dd397d

Download Submit
\Users\Admin\AppData\Local\Temp\fb.Exe

Filesize
138KB

MD5
e27d8ecbe7e2e4f4d3461b81fa935fdb

SHA1
ac06052003111055e2a93e0f649211183be32e48

SHA256
a1755720aa9514f5bff8ca2d4c843cae702d4f963e4391597451a9cafc3b07b3

SHA512
92faccb34a0b209bc4586d809989de0ea950f08a44ff633afa9be757e18993d1e214296a2209a3dd09c99c3ccae15be7c613987b8f2d551212a387dc0854d007

Download Submit
\Users\Admin\AppData\Local\Temp\fb.Exe

Filesize
138KB

MD5
e27d8ecbe7e2e4f4d3461b81fa935fdb

SHA1
ac06052003111055e2a93e0f649211183be32e48

SHA256
a1755720aa9514f5bff8ca2d4c843cae702d4f963e4391597451a9cafc3b07b3

SHA512
92faccb34a0b209bc4586d809989de0ea950f08a44ff633afa9be757e18993d1e214296a2209a3dd09c99c3ccae15be7c613987b8f2d551212a387dc0854d007

Download Submit
\Users\Admin\AppData\Roaming\Ecab\rudyf.exe

Filesize
138KB

MD5
a089acd87c9a2b3bfe3963ee5c08a3bf

SHA1
3b378394a250706bbf4836bd5b00bcee9530b313

SHA256
162f11c940bc750ad26399a6c5b5757f300384b4fa7e72c34962ccd9fe23f02c

SHA512
f5136cc574277c373285b798b12a1bc30de96cc1622675a352d9edee423144daa0cece1bcd0f7a0d8c7d223e20113df7ac0570d1bf7b736a1083a38bca18994d

Download Submit
\Users\Admin\AppData\Roaming\Ecab\rudyf.exe

Filesize
138KB

MD5
a089acd87c9a2b3bfe3963ee5c08a3bf

SHA1
3b378394a250706bbf4836bd5b00bcee9530b313

SHA256
162f11c940bc750ad26399a6c5b5757f300384b4fa7e72c34962ccd9fe23f02c

SHA512
f5136cc574277c373285b798b12a1bc30de96cc1622675a352d9edee423144daa0cece1bcd0f7a0d8c7d223e20113df7ac0570d1bf7b736a1083a38bca18994d

Download Submit
memory/240-108-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/240-99-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/240-101-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/240-102-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/240-103-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/280-111-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/280-113-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/280-114-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/280-112-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1032-123-0x0000000002420000-0x0000000002447000-memory.dmp

Filesize
156KB

Download
memory/1032-126-0x0000000002420000-0x0000000002447000-memory.dmp

Filesize
156KB

Download
memory/1032-124-0x0000000002420000-0x0000000002447000-memory.dmp

Filesize
156KB

Download
memory/1032-125-0x0000000002420000-0x0000000002447000-memory.dmp

Filesize
156KB

Download
memory/1132-75-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1132-71-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1132-76-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1132-74-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1132-73-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1184-57-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1184-63-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1184-56-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1192-80-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1192-81-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1192-82-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1192-79-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1268-88-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1268-87-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1268-85-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1268-86-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1396-119-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1396-117-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1396-118-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1396-120-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1592-135-0x00000000020B0000-0x00000000020C0000-memory.dmp

Filesize
64KB

Download
memory/1592-129-0x0000000002050000-0x0000000002060000-memory.dmp

Filesize
64KB

Download
memory/1592-128-0x000007FEF61E1000-0x000007FEF61E3000-memory.dmp

Filesize
8KB

Download
memory/1592-127-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/2012-95-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2012-94-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2012-93-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2012-91-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2012-105-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2012-96-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/2012-92-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download