Analysis
-
max time kernel
130s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 22:10
Static task
static1
Behavioral task
behavioral1
Sample
0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe
Resource
win10v2004-20221111-en
General
-
Target
0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe
-
Size
1.1MB
-
MD5
aa2c4aeb51a56f83a696fdada3056a4e
-
SHA1
38b9c00bb231b8fbed2661cfbff61bacee81f7a8
-
SHA256
0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5
-
SHA512
bef5121f9f944a3b70ad80007a2bc9edb841eb69ee33ffa4ff41b6873217869b98f0be475c5ef215937ffa731c483a045a9be4a595cf364cdd7ef176fb3ceb2a
-
SSDEEP
24576:YVOLo9vAjkR9Jj7p9Y2FyQeyTloIJIZxSmIuu+NI/nNInr:YICojkvJ3RT/32fI/Cnr
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 13 4984 rundll32.exe 39 4984 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BIBUtils\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\BIBUtils.dll㈀" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BIBUtils\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exesvchost.exepid process 4984 rundll32.exe 564 svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4984 set thread context of 2436 4984 rundll32.exe rundll32.exe -
Drops file in Program Files directory 12 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.x3d rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\submission_history.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Comments.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4776 4912 WerFault.exe 0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe -
Checks processor information in registry 2 TTPs 37 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4984 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 2436 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exerundll32.exedescription pid process target process PID 4912 wrote to memory of 4984 4912 0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe rundll32.exe PID 4912 wrote to memory of 4984 4912 0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe rundll32.exe PID 4912 wrote to memory of 4984 4912 0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe rundll32.exe PID 4984 wrote to memory of 2436 4984 rundll32.exe rundll32.exe PID 4984 wrote to memory of 2436 4984 rundll32.exe rundll32.exe PID 4984 wrote to memory of 2436 4984 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe"C:\Users\Admin\AppData\Local\Temp\0375df4950a841114b927ab0b52a9e237dd61565988233b96de7589be79465d5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141003⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4912 -ip 49121⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\bibutils.dll",hSNiYlFN2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dllFilesize
797KB
MD5f6bfd8ac0af9837490b411e1c46e1e25
SHA136708eeb16f4acb8c204cdce76016a8914a2e5a4
SHA256c23f9b0a0831feb40c9bca3ffbb7ac9418000738243db3e27083cadf610a8c18
SHA5129a385659f7f9280293a8ae9194a1621c8bcb82f513cf42cf7e38591dc22b21574e22d1f991040da71a791ecef50af9e517e39c0980ce61175c1a86d42fed68db
-
C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dllFilesize
797KB
MD5f6bfd8ac0af9837490b411e1c46e1e25
SHA136708eeb16f4acb8c204cdce76016a8914a2e5a4
SHA256c23f9b0a0831feb40c9bca3ffbb7ac9418000738243db3e27083cadf610a8c18
SHA5129a385659f7f9280293a8ae9194a1621c8bcb82f513cf42cf7e38591dc22b21574e22d1f991040da71a791ecef50af9e517e39c0980ce61175c1a86d42fed68db
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Proof.Culture.msi.16.fr-fr.xmlFilesize
23KB
MD537cde9afb1540513bd564d71867021e0
SHA1e319abb6093025dccc55618fb407c1182ccdafe7
SHA256516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f
SHA5126746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD5a3ce169ef7664f269c9d2211533eeae4
SHA1e712768deb949664e15a3a651334e4171bd564dd
SHA256ad507d233a4cd43d7afe81998ad2b76785798757581ce59e3f57c86a48c38d60
SHA5127692faa05775ac76a9e45050926a31473868871c3d91663221a94d3073ffaa52727cf542d0e70421c5dd05c30e29c9c410aace37d1eb2111f7e17f098f53fdf0
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
7KB
MD5e585657cf3525fd22dad5e2409eb9e60
SHA11c0b9d97bb93098e1d8a162b9725a0d6134dc913
SHA256581fd3d9aa551599bd691b5b23cdc51c48f7f3a65955adf1e1d0fef0a8cfb8b8
SHA512601c03a19bb0d1170db8c3a05ff4a38d209e2ec53426b2048362504b75e3971f40480afd118cd741a52e69ba5a55c61dd4cc488f335be3d67584982009392ced
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
28KB
MD5b8c1eec848c415eea04839ad0af75950
SHA1652ccb0f39fcb73b3fe31a231e490bbdb2a1d0bc
SHA256694699e06fa830a2fb3b79d472b9d2560686e5ebd752022fd902ff2d1e82c162
SHA51224f5629b1947690ee9fa911f1620a311db6f9433e77f8db67b468fb8624c3adcbfb21138c591a51d4e2e5f595ce9a5684203543890165fd2e88092cf303fe563
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\abcpy.iniFilesize
608B
MD5818d3a4899c5596d8d8da00a87e6d8bb
SHA14e0e04f5ca5d81661702877852fd9d059722762f
SHA2569986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d
SHA5121cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edbres00001.jrsFilesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
\??\c:\program files (x86)\windowspowershell\modules\bibutils.dllFilesize
797KB
MD5f6bfd8ac0af9837490b411e1c46e1e25
SHA136708eeb16f4acb8c204cdce76016a8914a2e5a4
SHA256c23f9b0a0831feb40c9bca3ffbb7ac9418000738243db3e27083cadf610a8c18
SHA5129a385659f7f9280293a8ae9194a1621c8bcb82f513cf42cf7e38591dc22b21574e22d1f991040da71a791ecef50af9e517e39c0980ce61175c1a86d42fed68db
-
memory/564-169-0x00000000039D0000-0x00000000040F5000-memory.dmpFilesize
7.1MB
-
memory/564-157-0x00000000039D0000-0x00000000040F5000-memory.dmpFilesize
7.1MB
-
memory/1448-167-0x0000000000000000-mapping.dmp
-
memory/2436-149-0x000001A719230000-0x000001A719370000-memory.dmpFilesize
1.2MB
-
memory/2436-151-0x0000000000F30000-0x0000000001149000-memory.dmpFilesize
2.1MB
-
memory/2436-148-0x000001A719230000-0x000001A719370000-memory.dmpFilesize
1.2MB
-
memory/2436-147-0x00007FF796436890-mapping.dmp
-
memory/2436-152-0x000001A7193A0000-0x000001A7195CA000-memory.dmpFilesize
2.2MB
-
memory/3728-170-0x0000000004840000-0x0000000004F65000-memory.dmpFilesize
7.1MB
-
memory/3728-165-0x0000000004840000-0x0000000004F65000-memory.dmpFilesize
7.1MB
-
memory/3728-166-0x0000000004840000-0x0000000004F65000-memory.dmpFilesize
7.1MB
-
memory/3728-163-0x0000000000000000-mapping.dmp
-
memory/4312-168-0x0000000000000000-mapping.dmp
-
memory/4912-138-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/4912-132-0x00000000008B9000-0x00000000009A8000-memory.dmpFilesize
956KB
-
memory/4912-134-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/4912-133-0x0000000002350000-0x0000000002480000-memory.dmpFilesize
1.2MB
-
memory/4984-142-0x0000000004790000-0x00000000048D0000-memory.dmpFilesize
1.2MB
-
memory/4984-153-0x0000000005620000-0x0000000005D45000-memory.dmpFilesize
7.1MB
-
memory/4984-150-0x0000000004809000-0x000000000480B000-memory.dmpFilesize
8KB
-
memory/4984-146-0x0000000004790000-0x00000000048D0000-memory.dmpFilesize
1.2MB
-
memory/4984-145-0x0000000004790000-0x00000000048D0000-memory.dmpFilesize
1.2MB
-
memory/4984-144-0x0000000004790000-0x00000000048D0000-memory.dmpFilesize
1.2MB
-
memory/4984-143-0x0000000004790000-0x00000000048D0000-memory.dmpFilesize
1.2MB
-
memory/4984-141-0x0000000004790000-0x00000000048D0000-memory.dmpFilesize
1.2MB
-
memory/4984-140-0x0000000005620000-0x0000000005D45000-memory.dmpFilesize
7.1MB
-
memory/4984-139-0x0000000005620000-0x0000000005D45000-memory.dmpFilesize
7.1MB
-
memory/4984-135-0x0000000000000000-mapping.dmp