f1365b27d96aee93d6ddb7d88e56cfedccfa064a0e23877207066b0239e9a49c

Analysis

max time kernel
241s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1365b27d96aee93d6ddb7d88e56cfedccfa064a0e23877207066b0239e9a49c.dll
Size

35KB
MD5

0493724e78412d0f414c7b8a699a7a90
SHA1

796ab0b66a20e1f72bc23dc8ba6bc70854a950d5
SHA256

f1365b27d96aee93d6ddb7d88e56cfedccfa064a0e23877207066b0239e9a49c
SHA512

67f73c2d07a41c67d35f7f057a04df09029c202e58be212c0e8422ffc6d7b205b8175c9f33438f2b76a45b673f61e52c336c83c673dc734c143423dead6f7ca8
SSDEEP

768:BzVffeW/ija+1IiBdQrrubgeattSKJDrSxhvIih666E:BzBfadQvuHbKlr4h1f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1920	yuns32.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yuns32.exe	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yuns32.exe	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCX204E.tmp	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1516	rundll32.exe
1516	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1516	560	rundll32.exe	28
PID 560 wrote to memory of 1516	560	rundll32.exe	28
PID 560 wrote to memory of 1516	560	rundll32.exe	28
PID 560 wrote to memory of 1516	560	rundll32.exe	28
PID 560 wrote to memory of 1516	560	rundll32.exe	28
PID 560 wrote to memory of 1516	560	rundll32.exe	28
PID 560 wrote to memory of 1516	560	rundll32.exe	28
PID 1516 wrote to memory of 1920	1516	rundll32.exe	29
PID 1516 wrote to memory of 1920	1516	rundll32.exe	29
PID 1516 wrote to memory of 1920	1516	rundll32.exe	29
PID 1516 wrote to memory of 1920	1516	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1365b27d96aee93d6ddb7d88e56cfedccfa064a0e23877207066b0239e9a49c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1365b27d96aee93d6ddb7d88e56cfedccfa064a0e23877207066b0239e9a49c.dll,#1
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yuns32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yuns32.exe"
    3⤵
    - Executes dropped EXE
    PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yuns32.exe

Filesize
18KB

MD5
ffa0046d645d0c9e4df1d7f627b18d3e

SHA1
fd9f8f9683cb4904285047b6c74c98976054dbf9

SHA256
bc3ac2645b738501ecfd5a60ffe5b8ad9266ec489fbb5da29ab0fe398ac760ff

SHA512
2d1d69292de8785f7028aa338f54fc7acb1c7576affb2cba6eeaeb8fb0dcc0756df5a4a06dfc005d044c9769673d39ecd8a4bbe6adfb2942094d98ad1325d872

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yuns32.exe

Filesize
18KB

MD5
ffa0046d645d0c9e4df1d7f627b18d3e

SHA1
fd9f8f9683cb4904285047b6c74c98976054dbf9

SHA256
bc3ac2645b738501ecfd5a60ffe5b8ad9266ec489fbb5da29ab0fe398ac760ff

SHA512
2d1d69292de8785f7028aa338f54fc7acb1c7576affb2cba6eeaeb8fb0dcc0756df5a4a06dfc005d044c9769673d39ecd8a4bbe6adfb2942094d98ad1325d872

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yuns32.exe

Filesize
18KB

MD5
ffa0046d645d0c9e4df1d7f627b18d3e

SHA1
fd9f8f9683cb4904285047b6c74c98976054dbf9

SHA256
bc3ac2645b738501ecfd5a60ffe5b8ad9266ec489fbb5da29ab0fe398ac760ff

SHA512
2d1d69292de8785f7028aa338f54fc7acb1c7576affb2cba6eeaeb8fb0dcc0756df5a4a06dfc005d044c9769673d39ecd8a4bbe6adfb2942094d98ad1325d872

Download Submit
memory/1516-54-0x0000000000000000-mapping.dmp

Download
memory/1516-55-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1516-56-0x0000000000131000-0x0000000000138000-memory.dmp

Filesize
28KB

Download
memory/1920-59-0x0000000000000000-mapping.dmp

Download