Analysis
-
max time kernel
127s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/12/2022, 14:30
Static task
static1
Behavioral task
behavioral1
Sample
c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll
Resource
win10v2004-20220901-en
Errors
General
-
Target
c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll
-
Size
2.4MB
-
MD5
3b8bdfd2524da789d5611e1877c89f5d
-
SHA1
e6b3400bfed1e2d367b78e9bfe5188401eb742f6
-
SHA256
c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628
-
SHA512
f779fc56f058b03f003901f454e4160b18cf88753face31f3c1401511e997e4f4b4f5ca4a74f7759bb74a1f3fa6c974af1bee76df55ace747f5022ecbf341dde
-
SSDEEP
49152:zrqVHNsAsWe8AdaSTBfA3XGGuGATN8LxZ:zaPenfA32r8Lz
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 1852 rundll32.exe 5 1852 rundll32.exe 9 1852 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\main\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\main.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\main\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 1036 svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1852 set thread context of 1480 1852 rundll32.exe 31 -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\UKRAINE.TXT rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\main.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\brt04.hsp rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\AdobePiStd.otf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\ICELAND.TXT rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\AdobeCollabSync.exe rundll32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FLT rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\QuickTime.mpp rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\digest.s rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt rundll32.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\CGMIMP32.FLT rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1480 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1852 2036 rundll32.exe 28 PID 2036 wrote to memory of 1852 2036 rundll32.exe 28 PID 2036 wrote to memory of 1852 2036 rundll32.exe 28 PID 2036 wrote to memory of 1852 2036 rundll32.exe 28 PID 2036 wrote to memory of 1852 2036 rundll32.exe 28 PID 2036 wrote to memory of 1852 2036 rundll32.exe 28 PID 2036 wrote to memory of 1852 2036 rundll32.exe 28 PID 1852 wrote to memory of 1480 1852 rundll32.exe 31 PID 1852 wrote to memory of 1480 1852 rundll32.exe 31 PID 1852 wrote to memory of 1480 1852 rundll32.exe 31 PID 1852 wrote to memory of 1480 1852 rundll32.exe 31 PID 1852 wrote to memory of 1480 1852 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#12⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 202093⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1480
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
PID:1036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53fdf384789965b672fce2fd5d1fbe1d3
SHA1f77691e9490c41d1bed43f516ed31afb5ad0ccc9
SHA256235feb312f7b00d9cb04aec2e26cd2e65dccf3ad9e8f8c49e73326d7480477e0
SHA5120e459af6b8c2dfc7e10b0b0d7c7eb7aa67eb7d0e9a7bbf80ea65bc9ab8f62b8b6f527ed15f81d373054575600b16ac78c19d1c46af44badaabf21de15b2d7d36
-
Filesize
2.3MB
MD54fe2d16e65f0219e9c44bae797634fc3
SHA1314484cc0db5527a4b127a39d0f09df307bc815d
SHA2566fef448647b6ac57e2d1fbf230e1dd9f5aeb6775293b737d97366950ab446d09
SHA512d80981a69fb0aa3758ea591004dcc4f5ca25fef551cef2e5b794ff8fa2cd24037fc99f7ca335cbcf7ce9eafe1a56190f252af8d4199e138739712369d3987cac
-
Filesize
46KB
MD5c8c28478cdf173e8743f51a3435851cf
SHA1aef15f0a21b3f3ed49614108d7c6b4514c185157
SHA256aed69f76f184a4e287a136b4f5f4d2be1343b324c6f28a99f460593952164a6d
SHA51257c11e345608b830e5f14e5cd5d1188b7883fafc089a6f93ffcfc121a4ab752fe94e0d6c97b5bf6e060009cdd8ed7e89fdfb75dc1cf05a8223b03a0bc73e4e6d
-
Filesize
531KB
MD5d08f5887bbd05d85fc0ddedb103fbbfa
SHA17c1948e47afb8ba8611280d130c340757bbc8bef
SHA256859373e8a8ee2d5f81b8a375bda2eb622b4c9d27302615836ba493df6b86afab
SHA5128cebf1d76454777e9557659493a233b183adf311df93632302db88aa0f92b89ceb465c0228039ea9227114154872926ac7cf2e510c5992f19dfa36b2a5707a5a
-
Filesize
48KB
MD5d342c2b5f3d16dc992db22cb737ad617
SHA1615a98744fb22809454b706174597a4d6b6d128b
SHA2560618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486
SHA5124f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7
-
Filesize
48KB
MD54e5c3e1452d39fb8742ce676a5033456
SHA1fe6df7a297d5697cbce86a110d53f604da85db94
SHA256bad04b1a9e50673c4f79fef48d129e474be08b367291ad738f0988ac58631a7a
SHA5123263f77fa90239f2a7f17afb1a9b88fe6df1e33ee247e95b5f6ba4a962eaf780b148dc0d911f1c7a8eb71dcf540405c494636a084ec8be794b86bb70c4bdcec9
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
Filesize405KB
MD50b497eb3695e9d4935fc1cde58f8dd01
SHA1b5441bfc6fb21343e07fa5c4f46292e3a1014ecb
SHA25679fdd0f3657d019594518df8e077daecb1861341039ab55d3775c8b8db729793
SHA5122a20010c3dd74f29ea8b7fdd302d1b3abde020c93a585d38858c8e08e83a50724f6d62e6ff6e45914003f966923d23b0a55964824c685c879773d62548957d44
-
Filesize
2.4MB
MD5cfa4bbfed587aafe14ed013bfec53acc
SHA192515ac4d124fe70f86c9298941ebaa4fd2efedd
SHA2566240ce38131d8e010628849e53f9e0088791005ee75b896ec59e3053cfca2475
SHA5122419a18da3779743988660609b619cb7fe89586482226053f28f8c8cfc4eabb93116478d2e86436189c4572761bc38bf5294c5f03a063c8b27fd74c719e9e830
-
Filesize
2.4MB
MD5cfa4bbfed587aafe14ed013bfec53acc
SHA192515ac4d124fe70f86c9298941ebaa4fd2efedd
SHA2566240ce38131d8e010628849e53f9e0088791005ee75b896ec59e3053cfca2475
SHA5122419a18da3779743988660609b619cb7fe89586482226053f28f8c8cfc4eabb93116478d2e86436189c4572761bc38bf5294c5f03a063c8b27fd74c719e9e830