d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/02/2023, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

6.2MB
MD5

1a904107cb5b50c41a9a16912387e3c1
SHA1

52ae836393e634161420fd863c874383424a7554
SHA256

d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb
SHA512

cd6db4c6adec8704d82a0efc7800e5256d556189ae8abb4402d7a9dd224dc14558dede4f752ba2fd85cdc60e68de5b8864cfdd04461f8520c30735839233a11d
SSDEEP

98304:6zp35bfcuES0LuX2kBGQnfSJScysP9NPyA8KDbEo9ZLHPjUdLH68GuvT84:61Nf0LuXXGA7FA9NPyAFcC9ea8B3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1504	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 1504	2000	file.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 39 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	file.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1504	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1504	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1504	2000	file.exe	28
PID 2000 wrote to memory of 1504	2000	file.exe	28
PID 2000 wrote to memory of 1504	2000	file.exe	28
PID 2000 wrote to memory of 1504	2000	file.exe	28
PID 2000 wrote to memory of 1504	2000	file.exe	28
PID 2000 wrote to memory of 1504	2000	file.exe	28
PID 2000 wrote to memory of 1504	2000	file.exe	28
PID 2000 wrote to memory of 1504	2000	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b940cb7-3593-46da-a476-fbf675685711.tmp

Filesize
86KB

MD5
0ec5ce95899838a24c980ac806c20573

SHA1
d83803ff60ac1e57c7e28ab303661df1fe0592fc

SHA256
fd867955f3837a24c8ce7399672be1447f0c2838d61a8e1a3177ecffe77c33b4

SHA512
e08275657df78826f0f5235df9858449405aec468d92fc04ae2034cd3ff36fa9da0821860921b19ee3be534c6cb9a875c9f9a21d8285f8c507f5db023105fe25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGIDD36.tmp

Filesize
10KB

MD5
dbef78447120e830587017c581f994f1

SHA1
ea5214b9503e9a3b5335053b9f2e85c1bd26f3ce

SHA256
a380116d80066949811b29c5b53c20488c1ca6b05a955c1698aff58fc18ebf94

SHA512
eda079a1c4e25d18099accf11860b7c78c9c303c855d87ddfd1750a41e47571db6acf929921a20be693a18d948799279c3f7be47574a2004810021271d735b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tqowreresqesio.tmp

Filesize
3.5MB

MD5
986d821f783e659b975b2a59585b6235

SHA1
7a11d6ea48d35573772d248553ad831bd74e77ba

SHA256
311f57e791a79007b5cedbd9f520986ea3e2b6b05112d6eac5d113d9a2c9eb60

SHA512
580ba23d1bda3066120fcc8b37c845affe8a83f4bf6af56f94abd8b368c4087c790cad2d3f38233040677abb1523ba48ae2f75eb50401c9877612ecde51d3ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
4KB

MD5
36cf8d512a14fd2c5263e06775f2da47

SHA1
3e8ae2e7855ac773837272177b985f1705f65667

SHA256
c3d0d9bf10e08fc22138cb4fd1d0fdf59f37cd2e12e3ff779ece43259f861cc9

SHA512
e61afb7cf48065a5ad087dcd9ae7ae2c46552cb68c1bd1bd8f9df51b8f0eb040e6e69423d45b09166d16959e7bd1e247d7dd02552da8ec40d9bc805883e58725

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20221111-155500-0.log

Filesize
33KB

MD5
24a4287418e4181d1ec9a882b7fcdd99

SHA1
77e060bf0a7400bb0b6c0f5cba9bf8d5532ae52e

SHA256
e12a4016d04ed514289956b5969c26da6e0d474893a7d0883d2ef8b9a56c505e

SHA512
056d3b83fdad4fd932368235d12f7875509b89c7af990ff6fc11d3ae230a688e2802409707e5831c9e8b28dc7d6fd18ace8bdab8d2885832dbc3083b8088f640

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
memory/1504-73-0x0000000002A90000-0x00000000035CE000-memory.dmp

Filesize
11.2MB

Download
memory/1504-75-0x0000000000A70000-0x000000000148F000-memory.dmp

Filesize
10.1MB

Download
memory/1504-87-0x0000000002A90000-0x00000000035CE000-memory.dmp

Filesize
11.2MB

Download
memory/1504-86-0x00000000009C0000-0x00000000009D3000-memory.dmp

Filesize
76KB

Download
memory/1504-79-0x00000000035D0000-0x0000000003710000-memory.dmp

Filesize
1.2MB

Download
memory/1504-78-0x00000000035D0000-0x0000000003710000-memory.dmp

Filesize
1.2MB

Download
memory/1504-77-0x0000000002A90000-0x00000000035CE000-memory.dmp

Filesize
11.2MB

Download
memory/1504-76-0x0000000002A90000-0x00000000035CE000-memory.dmp

Filesize
11.2MB

Download
memory/1504-69-0x0000000000A70000-0x000000000148F000-memory.dmp

Filesize
10.1MB

Download
memory/2000-68-0x00000000034A0000-0x00000000035E0000-memory.dmp

Filesize
1.2MB

Download
memory/2000-59-0x00000000027A0000-0x00000000032DE000-memory.dmp

Filesize
11.2MB

Download
memory/2000-62-0x00000000034A0000-0x00000000035E0000-memory.dmp

Filesize
1.2MB

Download
memory/2000-67-0x00000000034A0000-0x00000000035E0000-memory.dmp

Filesize
1.2MB

Download
memory/2000-66-0x00000000034A0000-0x00000000035E0000-memory.dmp

Filesize
1.2MB

Download
memory/2000-65-0x00000000034A0000-0x00000000035E0000-memory.dmp

Filesize
1.2MB

Download
memory/2000-61-0x00000000034A0000-0x00000000035E0000-memory.dmp

Filesize
1.2MB

Download
memory/2000-54-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/2000-60-0x00000000027A0000-0x00000000032DE000-memory.dmp

Filesize
11.2MB

Download
memory/2000-57-0x00000000027A0000-0x00000000032DE000-memory.dmp

Filesize
11.2MB

Download
memory/2000-56-0x00000000027A0000-0x00000000032DE000-memory.dmp

Filesize
11.2MB

Download
memory/2000-55-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/2000-64-0x00000000034A0000-0x00000000035E0000-memory.dmp

Filesize
1.2MB

Download
memory/2000-63-0x00000000034A0000-0x00000000035E0000-memory.dmp

Filesize
1.2MB

Download
memory/2000-88-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/2000-89-0x00000000027A0000-0x00000000032DE000-memory.dmp

Filesize
11.2MB

Download