Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/12/2022, 13:46
Behavioral task
behavioral1
Sample
29c6c5cf16aa0afad3bcfe27da105a9a803fdce6fda5b0be7efa035ef2ecac85.dll
Resource
win7-20220812-en
5 signatures
150 seconds
General
-
Target
29c6c5cf16aa0afad3bcfe27da105a9a803fdce6fda5b0be7efa035ef2ecac85.dll
-
Size
6.0MB
-
MD5
4259e0661e20e39fe4481b230ce43655
-
SHA1
8b79e1b07a785ec0b2a1613530dead6c38480bc4
-
SHA256
29c6c5cf16aa0afad3bcfe27da105a9a803fdce6fda5b0be7efa035ef2ecac85
-
SHA512
c408c4ac5483b008a8b54a1c36a1a9d34487809426c08a0c5d4295271d583960b6c146ef43f81532daa8e88c208e54642101027dca7e88a17b3b9942b8a771b5
-
SSDEEP
98304:EF07On+/mHph8BcHISKrQ4QltV1a6WRhE3UMtGBI25VSP:EWan+spKUWRhEESGq
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1936 744 WerFault.exe 28 -
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1660 wrote to memory of 744 1660 rundll32.exe 28 PID 1660 wrote to memory of 744 1660 rundll32.exe 28 PID 1660 wrote to memory of 744 1660 rundll32.exe 28 PID 1660 wrote to memory of 744 1660 rundll32.exe 28 PID 1660 wrote to memory of 744 1660 rundll32.exe 28 PID 1660 wrote to memory of 744 1660 rundll32.exe 28 PID 1660 wrote to memory of 744 1660 rundll32.exe 28 PID 744 wrote to memory of 1936 744 rundll32.exe 29 PID 744 wrote to memory of 1936 744 rundll32.exe 29 PID 744 wrote to memory of 1936 744 rundll32.exe 29 PID 744 wrote to memory of 1936 744 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\29c6c5cf16aa0afad3bcfe27da105a9a803fdce6fda5b0be7efa035ef2ecac85.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\29c6c5cf16aa0afad3bcfe27da105a9a803fdce6fda5b0be7efa035ef2ecac85.dll,#12⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 5203⤵
- Program crash
PID:1936
-
-