Analysis
-
max time kernel
116s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2022, 14:30
Static task
static1
Behavioral task
behavioral1
Sample
c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll
Resource
win10v2004-20220901-en
General
-
Target
c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll
-
Size
2.4MB
-
MD5
3b8bdfd2524da789d5611e1877c89f5d
-
SHA1
e6b3400bfed1e2d367b78e9bfe5188401eb742f6
-
SHA256
c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628
-
SHA512
f779fc56f058b03f003901f454e4160b18cf88753face31f3c1401511e997e4f4b4f5ca4a74f7759bb74a1f3fa6c974af1bee76df55ace747f5022ecbf341dde
-
SSDEEP
49152:zrqVHNsAsWe8AdaSTBfA3XGGuGATN8LxZ:zaPenfA32r8Lz
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 10 5080 rundll32.exe 13 5080 rundll32.exe 47 5080 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\64BitMAPIBroker\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\64BitMAPIBroker.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\64BitMAPIBroker\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2844 svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5080 set thread context of 4160 5080 rundll32.exe 86 -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\64BitMAPIBroker.exe rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\drvDX9.x3d rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\AppCenter_R.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\64BitMAPIBroker.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\main-cef-win8.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.exe rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\duplicate.svg rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\EPDF_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\ScCore.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5080 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4160 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 960 wrote to memory of 5080 960 rundll32.exe 76 PID 960 wrote to memory of 5080 960 rundll32.exe 76 PID 960 wrote to memory of 5080 960 rundll32.exe 76 PID 5080 wrote to memory of 4160 5080 rundll32.exe 86 PID 5080 wrote to memory of 4160 5080 rundll32.exe 86 PID 5080 wrote to memory of 4160 5080 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c05d24cef02f3b536d07d706a1446fb93e8fbf6c0e650fbbbf55aed8e14a7628.dll,#12⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 202293⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4160
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1040
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4340
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\64bitmapibroker.dll",PyQbeTJXNWs=2⤵PID:4884
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD57ffb83c8928acd22a1438b000875f303
SHA1efc88722e356776628004f5d31ab60bf13f761fa
SHA25619f8c12bda4c14fd92b6344769acb00649abde2643d974d3f974195acbd54eb2
SHA512413054d65095e35ddf537e4e9ee6c7498356414d624b9bae5997156602fa3d7990615c141e3ef653cd1251b9b44bdee4f0acff4b51073ea4653e53aa6d95e742
-
Filesize
2.4MB
MD57ffb83c8928acd22a1438b000875f303
SHA1efc88722e356776628004f5d31ab60bf13f761fa
SHA25619f8c12bda4c14fd92b6344769acb00649abde2643d974d3f974195acbd54eb2
SHA512413054d65095e35ddf537e4e9ee6c7498356414d624b9bae5997156602fa3d7990615c141e3ef653cd1251b9b44bdee4f0acff4b51073ea4653e53aa6d95e742
-
Filesize
2.4MB
MD57ffb83c8928acd22a1438b000875f303
SHA1efc88722e356776628004f5d31ab60bf13f761fa
SHA25619f8c12bda4c14fd92b6344769acb00649abde2643d974d3f974195acbd54eb2
SHA512413054d65095e35ddf537e4e9ee6c7498356414d624b9bae5997156602fa3d7990615c141e3ef653cd1251b9b44bdee4f0acff4b51073ea4653e53aa6d95e742
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml
Filesize14KB
MD5cc78ff3a9bbf1967185797f3eac2090a
SHA180204fdfac8110dddc7e5c59ada69feef33a0614
SHA2567afbc0905a69b223e8098f1a9b34fcf454ba79535873933df9c12dc8660174c3
SHA5125ecf695a9be7c5521d1429fe696cb7d1d4d361b43f819b77e76828d5314e444ad61bd3c66f1cd7b7fea9c6138808a1194bc556cd5195658132121444d5a3636d
-
Filesize
2.3MB
MD5eb30d9fd8ce1e776d7247c252edafe5b
SHA15ae2b4d53c89287dbbf3850089241683b170b277
SHA256268c2ebc133d6d755b83bf2809ea49ef6b01c208d01954a0e8a5f1d6bcaee93f
SHA5120135c840f2f74b2dd4f0b6f1c679b54363598f92e1dd5c6b19307b7a0e0fcd8a20867b9fd686c3974ab8400e5ac75d258c8e1f2b3a798058f690fb73d937b595
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe.xml
Filesize849B
MD5cff245d69fe04eec05ce3601d77467b6
SHA1d09b1d953eea98ef0b0fcec5936fc806940f7717
SHA25640d6a0b80770bf41ddc0a3b3607ac53eb82d0f90675e5a595a18cd3f8bdf3d94
SHA5124615affbbc7163076cbc82a8e65cd5d168d1411a028b47bddd0ec5219e08037304de1d14ae1fa659909760150edf5401e698c9f6252674eb4e84dec341aa3666
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe.xml
Filesize7KB
MD5b290178a94a0bd93830d5714c11f9681
SHA19dd5d3337117568b6423a32dff9baf14fb11e73c
SHA2565876d6a887dd7db15a3bea28e71c0aa044023eafb1eed8ca9356035f5943249c
SHA512ef5af5bc01510ea6e865e11a94bcf67966a01930fcdd9ab10bcb854a06976f59c909bd10e9ff3ef0aea53bad9a4af510401c05ada4c017e45ff512a127dea9fb
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml
Filesize3KB
MD51a3168a15983b890b16390a23a89a02e
SHA1d56ce16d88d79159a27c2d1cd3770dc56d897ebe
SHA256334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946
SHA512f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668
-
Filesize
192KB
MD55fa49c1c863990caa01994342272b2c9
SHA1c52d1577b2907b462141e4ce74dc8563e52f00c8
SHA256bd19746ccaba594171cffbd9c31e144d1c29746fbfe484f787aaed83e5723b93
SHA5123e1b1ec930ede363e2517fa33cf892295f2836af9843ac0216295624720fccbef643728b1998ce314d63e5409c4df95832933baca9d0b048ed8979c4fc4e20d7
-
Filesize
8KB
MD547f72135861cdde114ff79287e6006b6
SHA122b81b4310df90e5e32f1016bb574f49d21da132
SHA2565c181fcf614064eb54823e6e4c43eee7412e6bd3d7901b4f816c39be45dcd12e
SHA512d900e3d9e9f0cfdc47a5ba534642938e96d666f1f5cbb93ec20e3f7a2ec96780fc919566bc61501d2c665212b7118d264342d124e6665e98b09ddccc733983e1
-
Filesize
64KB
MD5ec3d0a4df5f4aa1e3ee117d0357f73bc
SHA1054cbdffe6d2f7d26acb41f95c7e56d90f9b2ad3
SHA256fccf5697101241b32bcf5fc3ef0469ce8eefc1a91518640d973f2cc859fb7589
SHA512cc1060099a17ae7b6bdbbb58a207d081020eb0b5fc0be537e42ee55bd4921b4039a50014af46fbca8374cb0d1cf6a0fc1e892d82947d76a79e84038287802580
-
Filesize
96KB
MD5f98f89ae9f3b3417b2b0f05bb4c870c7
SHA17004300e9f11fef74473f99ade3ed71d8c34dd22
SHA2562a31397b5d41194cbe8cb86b19cf7ea4d82e5a43bdabe68d4cda297592701a22
SHA5129532f2b1037734bfd9857e5939d0699071fd645486eb2de6a550b72e60df7fe79664ff1f091a3e8ee39ac913aae044f1526365580e0805dda038137ef5ea7899
-
Filesize
2.4MB
MD57ffb83c8928acd22a1438b000875f303
SHA1efc88722e356776628004f5d31ab60bf13f761fa
SHA25619f8c12bda4c14fd92b6344769acb00649abde2643d974d3f974195acbd54eb2
SHA512413054d65095e35ddf537e4e9ee6c7498356414d624b9bae5997156602fa3d7990615c141e3ef653cd1251b9b44bdee4f0acff4b51073ea4653e53aa6d95e742