468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c

General

Target

468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c.dll
Size

121KB
MD5

ad073afc9cc3a0e55f379fe218839880
SHA1

85bdb48cd44c14123fbb94021ca96743ac5c445a
SHA256

468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c
SHA512

324169f5c1d7aa5af414a92380691a50e1fbf4913636af657b24147ad1d5aa41bc52e1fc016d82217080e3b42935689d9fc921b0a1b90c4865d296f5866edf4a
SSDEEP

1536:4ZfFsj+G40DEpf+eO7R+Uo1Fw3JU3KUdQtowqTqnItiXDKPH7j9jD4yCtJ2a3l:4Z9sjk0o6d+Uo/gJImQTrKKPbNsyMJ2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1DC278FD-D5BF-4C2D-859E-F47B57C5BD14} = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\{1DC278FD-D5BF-4C2D-859E-F47B57C5BD14}\\2c28.dll\",DllGetClassObject secret 18215"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1480	rundll32.exe
1628	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1480	1284	rundll32.exe	28
PID 1284 wrote to memory of 1480	1284	rundll32.exe	28
PID 1284 wrote to memory of 1480	1284	rundll32.exe	28
PID 1284 wrote to memory of 1480	1284	rundll32.exe	28
PID 1284 wrote to memory of 1480	1284	rundll32.exe	28
PID 1284 wrote to memory of 1480	1284	rundll32.exe	28
PID 1284 wrote to memory of 1480	1284	rundll32.exe	28
PID 1480 wrote to memory of 1628	1480	rundll32.exe	29
PID 1480 wrote to memory of 1628	1480	rundll32.exe	29
PID 1480 wrote to memory of 1628	1480	rundll32.exe	29
PID 1480 wrote to memory of 1628	1480	rundll32.exe	29
PID 1480 wrote to memory of 1628	1480	rundll32.exe	29
PID 1480 wrote to memory of 1628	1480	rundll32.exe	29
PID 1480 wrote to memory of 1628	1480	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c.dll,#1
  2⤵
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\{1DC278FD-D5BF-4C2D-859E-F47B57C5BD14}\2c28.dll",DllGetClassObject secret 18215
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{1DC278FD-D5BF-4C2D-859E-F47B57C5BD14}\2c28.dll

Filesize
121KB

MD5
ad073afc9cc3a0e55f379fe218839880

SHA1
85bdb48cd44c14123fbb94021ca96743ac5c445a

SHA256
468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c

SHA512
324169f5c1d7aa5af414a92380691a50e1fbf4913636af657b24147ad1d5aa41bc52e1fc016d82217080e3b42935689d9fc921b0a1b90c4865d296f5866edf4a

Download Submit
\Users\Admin\AppData\Local\Temp\{1DC278FD-D5BF-4C2D-859E-F47B57C5BD14}\2c28.dll

Filesize
121KB

MD5
ad073afc9cc3a0e55f379fe218839880

SHA1
85bdb48cd44c14123fbb94021ca96743ac5c445a

SHA256
468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c

SHA512
324169f5c1d7aa5af414a92380691a50e1fbf4913636af657b24147ad1d5aa41bc52e1fc016d82217080e3b42935689d9fc921b0a1b90c4865d296f5866edf4a

Download Submit
\Users\Admin\AppData\Local\Temp\{1DC278FD-D5BF-4C2D-859E-F47B57C5BD14}\2c28.dll

Filesize
121KB

MD5
ad073afc9cc3a0e55f379fe218839880

SHA1
85bdb48cd44c14123fbb94021ca96743ac5c445a

SHA256
468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c

SHA512
324169f5c1d7aa5af414a92380691a50e1fbf4913636af657b24147ad1d5aa41bc52e1fc016d82217080e3b42935689d9fc921b0a1b90c4865d296f5866edf4a

Download Submit
\Users\Admin\AppData\Local\Temp\{1DC278FD-D5BF-4C2D-859E-F47B57C5BD14}\2c28.dll

Filesize
121KB

MD5
ad073afc9cc3a0e55f379fe218839880

SHA1
85bdb48cd44c14123fbb94021ca96743ac5c445a

SHA256
468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c

SHA512
324169f5c1d7aa5af414a92380691a50e1fbf4913636af657b24147ad1d5aa41bc52e1fc016d82217080e3b42935689d9fc921b0a1b90c4865d296f5866edf4a

Download Submit
\Users\Admin\AppData\Local\Temp\{1DC278FD-D5BF-4C2D-859E-F47B57C5BD14}\2c28.dll

Filesize
121KB

MD5
ad073afc9cc3a0e55f379fe218839880

SHA1
85bdb48cd44c14123fbb94021ca96743ac5c445a

SHA256
468b75480eaf2b1b96382a239142bf617f0b65f2ba3faf26527a1842457d246c

SHA512
324169f5c1d7aa5af414a92380691a50e1fbf4913636af657b24147ad1d5aa41bc52e1fc016d82217080e3b42935689d9fc921b0a1b90c4865d296f5866edf4a

Download Submit
memory/1480-55-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1480-56-0x0000000074BD0000-0x0000000074BF8000-memory.dmp

Filesize
160KB

Download
memory/1480-67-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/1628-65-0x0000000073C60000-0x0000000073C88000-memory.dmp

Filesize
160KB

Download
memory/1628-68-0x0000000001C50000-0x0000000001D50000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing