Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 09:55
Static task
static1
Behavioral task
behavioral1
Sample
f54e72ec43ba9b6d7dcb039cc2ad48f6.exe
Resource
win7-20220901-en
General
-
Target
f54e72ec43ba9b6d7dcb039cc2ad48f6.exe
-
Size
1.1MB
-
MD5
f54e72ec43ba9b6d7dcb039cc2ad48f6
-
SHA1
4dd3e8194b67d5e594eee18101bee38a69d1343a
-
SHA256
106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f
-
SHA512
50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e
-
SSDEEP
24576:T8Wm0i8kSft6kipJYRYWvFZS1LVb1wkOGM9MiALQ2wFP:PGhSEvARYSZSxBBOxJAQhFP
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 7 2820 rundll32.exe 8 2820 rundll32.exe 10 2820 rundll32.exe 11 2820 rundll32.exe 47 2820 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2820 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2820 set thread context of 1960 2820 rundll32.exe rundll32.exe -
Drops file in Program Files directory 12 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\Review_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\2d.x3d rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.x3d rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\tl.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4556 904 WerFault.exe f54e72ec43ba9b6d7dcb039cc2ad48f6.exe -
Checks processor information in registry 2 TTPs 27 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2820 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 1960 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f54e72ec43ba9b6d7dcb039cc2ad48f6.exerundll32.exedescription pid process target process PID 904 wrote to memory of 2820 904 f54e72ec43ba9b6d7dcb039cc2ad48f6.exe rundll32.exe PID 904 wrote to memory of 2820 904 f54e72ec43ba9b6d7dcb039cc2ad48f6.exe rundll32.exe PID 904 wrote to memory of 2820 904 f54e72ec43ba9b6d7dcb039cc2ad48f6.exe rundll32.exe PID 2820 wrote to memory of 1960 2820 rundll32.exe rundll32.exe PID 2820 wrote to memory of 1960 2820 rundll32.exe rundll32.exe PID 2820 wrote to memory of 1960 2820 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f54e72ec43ba9b6d7dcb039cc2ad48f6.exe"C:\Users\Admin\AppData\Local\Temp\f54e72ec43ba9b6d7dcb039cc2ad48f6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141373⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1960 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3152
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 5562⤵
- Program crash
PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 904 -ip 9041⤵PID:2748
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3008
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵PID:2400
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\tl.dll",aQ5b2⤵PID:3504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\tl.dllFilesize
797KB
MD542d704b84a7fecfd38d0f6e14fdadaa2
SHA1952c7030db3a653a2f68711b94da852060ecf47f
SHA256a99fe485a22fa50c2cfc929a3aa3b602ef5ba72a2b03811c73465998c231d845
SHA512c1989d325ac4efa554a7ebca53f502a3eec746e7267c197221e46ed3d586890ffe2cba921db75405bf4f1cb8b70a508a1c1fcbea837198d43a9e540688b9762d
-
C:\Program Files (x86)\WindowsPowerShell\Modules\tl.dllFilesize
797KB
MD542d704b84a7fecfd38d0f6e14fdadaa2
SHA1952c7030db3a653a2f68711b94da852060ecf47f
SHA256a99fe485a22fa50c2cfc929a3aa3b602ef5ba72a2b03811c73465998c231d845
SHA512c1989d325ac4efa554a7ebca53f502a3eec746e7267c197221e46ed3d586890ffe2cba921db75405bf4f1cb8b70a508a1c1fcbea837198d43a9e540688b9762d
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD550d23ef3b65dfcbea418948122e2338c
SHA17d0a04be14fcfa5cadeaf9899cd44d48917bf736
SHA256b7d3dc673c6f6e02f289b096c97ad9cc3b7183edbc4ff3e97fd0cdb9ae9cd5f8
SHA512bb1f0a81e7ed02cdce36e125f7e00880ddcedcbb48c7c0a416dc434c78de4a616d0cbc86ace0f8c670cd480b581c910fe76df452cc49d466b46bd5a2fa70eb38
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
849B
MD5bd5949f7138558f33eeadec17d3605a1
SHA17089296812fd9348b62936a6eea5928809f26d63
SHA2560b9ef96887d1143ced0048b15f5437eaf878c932dd89a05794a742ce8f905fe6
SHA5126be4a51529e882a8f6c3001a8598ce41d00f401bc53ec3e38b1122cf2e61076ef3a780c077f672faae774078a4dc68e6481f1ad660342d2836dde9b38c6752d8
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
913B
MD51600f66ce0d9c342eb6a49155a2f8c14
SHA1e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07
SHA2568dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27
SHA512ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\print_queue.icoFilesize
55KB
MD50f3c6d90637f0fdc57b1d303cf8d76cd
SHA191cef4325b363b31e4555302a70321a2110b51cf
SHA2564858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261
SHA5126f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\tasks.xmlFilesize
11KB
MD56ab160b8998020e6d4373c003e9879d4
SHA1efa87d3fb95a73a892ed88b08651c44fe03c150f
SHA256faf021b3c06abc41a9fb8e021171fd0ea41684b732a8e77433e447af8e527516
SHA512c923c48b0b5c741777666ca161864879defd50c299ae76d9f093ffb846d144600c99d281d879f9328509061f3ae6784a706f15248e0fed7bfd7a595b389aae1b
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
\??\c:\program files (x86)\windowspowershell\modules\tl.dllFilesize
797KB
MD542d704b84a7fecfd38d0f6e14fdadaa2
SHA1952c7030db3a653a2f68711b94da852060ecf47f
SHA256a99fe485a22fa50c2cfc929a3aa3b602ef5ba72a2b03811c73465998c231d845
SHA512c1989d325ac4efa554a7ebca53f502a3eec746e7267c197221e46ed3d586890ffe2cba921db75405bf4f1cb8b70a508a1c1fcbea837198d43a9e540688b9762d
-
memory/904-136-0x0000000000400000-0x0000000000531000-memory.dmpFilesize
1.2MB
-
memory/904-134-0x0000000002480000-0x00000000025B0000-memory.dmpFilesize
1.2MB
-
memory/904-133-0x00000000022AB000-0x0000000002399000-memory.dmpFilesize
952KB
-
memory/1300-167-0x0000000000000000-mapping.dmp
-
memory/1960-148-0x0000029911330000-0x0000029911470000-memory.dmpFilesize
1.2MB
-
memory/1960-146-0x00007FF711936890-mapping.dmp
-
memory/1960-150-0x0000029911330000-0x0000029911470000-memory.dmpFilesize
1.2MB
-
memory/1960-149-0x00000000005E0000-0x00000000007F9000-memory.dmpFilesize
2.1MB
-
memory/1960-151-0x000002990F960000-0x000002990FB8A000-memory.dmpFilesize
2.2MB
-
memory/2400-168-0x0000000003B90000-0x00000000042B5000-memory.dmpFilesize
7.1MB
-
memory/2400-157-0x0000000003B90000-0x00000000042B5000-memory.dmpFilesize
7.1MB
-
memory/2400-156-0x0000000003B90000-0x00000000042B5000-memory.dmpFilesize
7.1MB
-
memory/2820-143-0x0000000005260000-0x00000000053A0000-memory.dmpFilesize
1.2MB
-
memory/2820-140-0x0000000005260000-0x00000000053A0000-memory.dmpFilesize
1.2MB
-
memory/2820-144-0x0000000005260000-0x00000000053A0000-memory.dmpFilesize
1.2MB
-
memory/2820-147-0x00000000052D9000-0x00000000052DB000-memory.dmpFilesize
8KB
-
memory/2820-152-0x0000000006510000-0x0000000006C35000-memory.dmpFilesize
7.1MB
-
memory/2820-142-0x0000000005260000-0x00000000053A0000-memory.dmpFilesize
1.2MB
-
memory/2820-132-0x0000000000000000-mapping.dmp
-
memory/2820-145-0x0000000005260000-0x00000000053A0000-memory.dmpFilesize
1.2MB
-
memory/2820-141-0x0000000005260000-0x00000000053A0000-memory.dmpFilesize
1.2MB
-
memory/2820-139-0x0000000006510000-0x0000000006C35000-memory.dmpFilesize
7.1MB
-
memory/2820-138-0x0000000006510000-0x0000000006C35000-memory.dmpFilesize
7.1MB
-
memory/3152-166-0x0000000000000000-mapping.dmp
-
memory/3504-165-0x0000000004040000-0x0000000004765000-memory.dmpFilesize
7.1MB
-
memory/3504-164-0x0000000004040000-0x0000000004765000-memory.dmpFilesize
7.1MB
-
memory/3504-162-0x0000000000000000-mapping.dmp
-
memory/3504-169-0x0000000004040000-0x0000000004765000-memory.dmpFilesize
7.1MB