d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb

Resubmissions

02/02/2023, 04:24

230202-e1kadseh77 8

02/02/2023, 04:13

230202-etasdagg51 8

02/02/2023, 04:01

230202-elbdyaeg75 8

Analysis

max time kernel
40s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/02/2023, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Size

6.2MB
MD5

1a904107cb5b50c41a9a16912387e3c1
SHA1

52ae836393e634161420fd863c874383424a7554
SHA256

d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb
SHA512

cd6db4c6adec8704d82a0efc7800e5256d556189ae8abb4402d7a9dd224dc14558dede4f752ba2fd85cdc60e68de5b8864cfdd04461f8520c30735839233a11d
SSDEEP

98304:6zp35bfcuES0LuX2kBGQnfSJScysP9NPyA8KDbEo9ZLHPjUdLH68GuvT84:61Nf0LuXXGA7FA9NPyAFcC9ea8B3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1500	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1500	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1500	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27
PID 1672 wrote to memory of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27
PID 1672 wrote to memory of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27
PID 1672 wrote to memory of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27
PID 1672 wrote to memory of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27
PID 1672 wrote to memory of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27
PID 1672 wrote to memory of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27
PID 1672 wrote to memory of 1500	1672	d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe	27

C:\Users\Admin\AppData\Local\Temp\d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe
"C:\Users\Admin\AppData\Local\Temp\d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tqowreresqesio.tmp

Filesize
3.5MB

MD5
986d821f783e659b975b2a59585b6235

SHA1
7a11d6ea48d35573772d248553ad831bd74e77ba

SHA256
311f57e791a79007b5cedbd9f520986ea3e2b6b05112d6eac5d113d9a2c9eb60

SHA512
580ba23d1bda3066120fcc8b37c845affe8a83f4bf6af56f94abd8b368c4087c790cad2d3f38233040677abb1523ba48ae2f75eb50401c9877612ecde51d3ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e069afc2-fed2-4478-8247-dee1c3b0b641.tmp

Filesize
19KB

MD5
613b4d43b64a6d9630f389c4e12295b4

SHA1
06bef00ff378997f9b05d77c78563e01fb713e2d

SHA256
bbe5def034f4c1e6c16beb775ecbbbbe5e6f1aa8100639e87997c9f656a002c6

SHA512
3d48d3dbd49750d6154a3ecde4f60b7ba0cdfbf4781357971102222707ff9a6ee34f5cdbbb64111e3b43bf3946c1fdfb5024d1bcf710e13a850b257c61e5a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
4KB

MD5
36cf8d512a14fd2c5263e06775f2da47

SHA1
3e8ae2e7855ac773837272177b985f1705f65667

SHA256
c3d0d9bf10e08fc22138cb4fd1d0fdf59f37cd2e12e3ff779ece43259f861cc9

SHA512
e61afb7cf48065a5ad087dcd9ae7ae2c46552cb68c1bd1bd8f9df51b8f0eb040e6e69423d45b09166d16959e7bd1e247d7dd02552da8ec40d9bc805883e58725

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20220812-142942-0.log

Filesize
34KB

MD5
3d4f1c8262280e44e8a166dc00fd521d

SHA1
cade573080ab0ffb2c667d6ebea81e935f41a75c

SHA256
e4d7cc7cd7e9361de7e75daf8f69e63b08189754158748c8ea5d4db8ad49e16b

SHA512
e2135140761e617ff20a537cc91d1dc364e5b0b201b10b4cbf3e6082f6408d81e0e35828da5a2c187bbbf7eef2ac0647c1843a902a602b0434391b34376696c8

Download Submit
memory/1500-68-0x0000000000170000-0x0000000000B8F000-memory.dmp

Filesize
10.1MB

Download
memory/1500-84-0x0000000002810000-0x000000000334E000-memory.dmp

Filesize
11.2MB

Download
memory/1500-83-0x0000000002810000-0x000000000334E000-memory.dmp

Filesize
11.2MB

Download
memory/1500-82-0x0000000000170000-0x0000000000B8F000-memory.dmp

Filesize
10.1MB

Download
memory/1500-77-0x0000000003570000-0x00000000036B0000-memory.dmp

Filesize
1.2MB

Download
memory/1500-76-0x0000000003570000-0x00000000036B0000-memory.dmp

Filesize
1.2MB

Download
memory/1500-75-0x0000000002810000-0x000000000334E000-memory.dmp

Filesize
11.2MB

Download
memory/1500-73-0x0000000002810000-0x000000000334E000-memory.dmp

Filesize
11.2MB

Download
memory/1672-66-0x00000000034C0000-0x0000000003600000-memory.dmp

Filesize
1.2MB

Download
memory/1672-59-0x0000000002740000-0x000000000327E000-memory.dmp

Filesize
11.2MB

Download
memory/1672-71-0x0000000002740000-0x000000000327E000-memory.dmp

Filesize
11.2MB

Download
memory/1672-67-0x00000000034C0000-0x0000000003600000-memory.dmp

Filesize
1.2MB

Download
memory/1672-60-0x00000000034C0000-0x0000000003600000-memory.dmp

Filesize
1.2MB

Download
memory/1672-65-0x00000000034C0000-0x0000000003600000-memory.dmp

Filesize
1.2MB

Download
memory/1672-63-0x00000000034C0000-0x0000000003600000-memory.dmp

Filesize
1.2MB

Download
memory/1672-54-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/1672-57-0x0000000002740000-0x000000000327E000-memory.dmp

Filesize
11.2MB

Download
memory/1672-56-0x0000000002740000-0x000000000327E000-memory.dmp

Filesize
11.2MB

Download
memory/1672-55-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1672-64-0x00000000034C0000-0x0000000003600000-memory.dmp

Filesize
1.2MB

Download
memory/1672-61-0x00000000034C0000-0x0000000003600000-memory.dmp

Filesize
1.2MB

Download
memory/1672-62-0x00000000034C0000-0x0000000003600000-memory.dmp

Filesize
1.2MB

Download
memory/1672-85-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/1672-86-0x0000000002740000-0x000000000327E000-memory.dmp

Filesize
11.2MB

Download