ed6cc9edf94ea6b441038e2a1854489b869a5f779e82a48f565c9fbcf0875690

Analysis

max time kernel
173s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 17:33

Target

ed6cc9edf94ea6b441038e2a1854489b869a5f779e82a48f565c9fbcf0875690.dll
Size

384KB
MD5

5f6d55d687592fa8717ec3ea7e6c8808
SHA1

bd837dbf69def0871bfee9fc82855a892f98cf73
SHA256

ed6cc9edf94ea6b441038e2a1854489b869a5f779e82a48f565c9fbcf0875690
SHA512

4f90e6503c6c45b2089d6713fc0f21c05417510bd3a5b820be111230f9946e9ccb35dc9b11b4c7e0d21a3007331e5e151fdd8be06c0d967fc5249529cd4d8bba
SSDEEP

6144:yP42l5lGOm/afEPlt1HyYizdsHVwubDAmhIrD6cnshpk5UCj6Zek:+nl5YO4afm3Hv6KcnWpk56

Score

8^/10

Blocklisted process makes network request 4 IoCs

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4848	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4848	2396	rundll32.exe	82
PID 2396 wrote to memory of 4848	2396	rundll32.exe	82
PID 2396 wrote to memory of 4848	2396	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6cc9edf94ea6b441038e2a1854489b869a5f779e82a48f565c9fbcf0875690.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6cc9edf94ea6b441038e2a1854489b869a5f779e82a48f565c9fbcf0875690.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: RenamesItself
  PID:4848

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact