dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d

General

Target

dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d.dll
Size

128KB
MD5

bd044ffe4c0545a78d1c469100099049
SHA1

f25847348d752f4e96f904e0264991625dd8f8ae
SHA256

dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d
SHA512

13465c4de25a811ec68b33faf164fac8af4a2865b27723a404a4e8801ce35d351951084eb774e169ad0b55f145965b496013ccffc8605e5c8539a99981da0cd9
SSDEEP

3072:hPP9JJGoDV7OcVrB9DsdTqs3OL5PFn0wcccccccc:FPlV7jB9DsdTX30PFn0wcccccccc

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1116	rundll32.exe
3	1696	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B4D5C423-984C-4BEE-B983-8E634A553ABD} = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{B4D5C423-984C-4BEE-B983-8E634A553ABD}\\7ba6.dll\",DllGetClassObject secret 26468"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1116	rundll32.exe
1696	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1116	1792	rundll32.exe	28
PID 1792 wrote to memory of 1116	1792	rundll32.exe	28
PID 1792 wrote to memory of 1116	1792	rundll32.exe	28
PID 1792 wrote to memory of 1116	1792	rundll32.exe	28
PID 1792 wrote to memory of 1116	1792	rundll32.exe	28
PID 1792 wrote to memory of 1116	1792	rundll32.exe	28
PID 1792 wrote to memory of 1116	1792	rundll32.exe	28
PID 1116 wrote to memory of 1696	1116	rundll32.exe	29
PID 1116 wrote to memory of 1696	1116	rundll32.exe	29
PID 1116 wrote to memory of 1696	1116	rundll32.exe	29
PID 1116 wrote to memory of 1696	1116	rundll32.exe	29
PID 1116 wrote to memory of 1696	1116	rundll32.exe	29
PID 1116 wrote to memory of 1696	1116	rundll32.exe	29
PID 1116 wrote to memory of 1696	1116	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\{B4D5C423-984C-4BEE-B983-8E634A553ABD}\7ba6.dll",DllGetClassObject secret 26468
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{B4D5C423-984C-4BEE-B983-8E634A553ABD}\7ba6.dll

Filesize
128KB

MD5
bd044ffe4c0545a78d1c469100099049

SHA1
f25847348d752f4e96f904e0264991625dd8f8ae

SHA256
dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d

SHA512
13465c4de25a811ec68b33faf164fac8af4a2865b27723a404a4e8801ce35d351951084eb774e169ad0b55f145965b496013ccffc8605e5c8539a99981da0cd9

Download Submit
\Users\Admin\AppData\Local\Temp\{B4D5C423-984C-4BEE-B983-8E634A553ABD}\7ba6.dll

Filesize
128KB

MD5
bd044ffe4c0545a78d1c469100099049

SHA1
f25847348d752f4e96f904e0264991625dd8f8ae

SHA256
dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d

SHA512
13465c4de25a811ec68b33faf164fac8af4a2865b27723a404a4e8801ce35d351951084eb774e169ad0b55f145965b496013ccffc8605e5c8539a99981da0cd9

Download Submit
\Users\Admin\AppData\Local\Temp\{B4D5C423-984C-4BEE-B983-8E634A553ABD}\7ba6.dll

Filesize
128KB

MD5
bd044ffe4c0545a78d1c469100099049

SHA1
f25847348d752f4e96f904e0264991625dd8f8ae

SHA256
dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d

SHA512
13465c4de25a811ec68b33faf164fac8af4a2865b27723a404a4e8801ce35d351951084eb774e169ad0b55f145965b496013ccffc8605e5c8539a99981da0cd9

Download Submit
\Users\Admin\AppData\Local\Temp\{B4D5C423-984C-4BEE-B983-8E634A553ABD}\7ba6.dll

Filesize
128KB

MD5
bd044ffe4c0545a78d1c469100099049

SHA1
f25847348d752f4e96f904e0264991625dd8f8ae

SHA256
dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d

SHA512
13465c4de25a811ec68b33faf164fac8af4a2865b27723a404a4e8801ce35d351951084eb774e169ad0b55f145965b496013ccffc8605e5c8539a99981da0cd9

Download Submit
\Users\Admin\AppData\Local\Temp\{B4D5C423-984C-4BEE-B983-8E634A553ABD}\7ba6.dll

Filesize
128KB

MD5
bd044ffe4c0545a78d1c469100099049

SHA1
f25847348d752f4e96f904e0264991625dd8f8ae

SHA256
dcf1b2e6c8107aed058a8e7e3b874f16f84cf811bd6f5ee0dc8230943004190d

SHA512
13465c4de25a811ec68b33faf164fac8af4a2865b27723a404a4e8801ce35d351951084eb774e169ad0b55f145965b496013ccffc8605e5c8539a99981da0cd9

Download Submit
memory/1116-54-0x0000000000000000-mapping.dmp

Download
memory/1116-55-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1116-56-0x0000000074C50000-0x0000000074C7B000-memory.dmp

Filesize
172KB

Download
memory/1116-58-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/1696-59-0x0000000000000000-mapping.dmp

Download
memory/1696-66-0x0000000074860000-0x000000007488B000-memory.dmp

Filesize
172KB

Download
memory/1696-68-0x0000000001E00000-0x0000000001F00000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing