d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

6.2MB
MD5

1a904107cb5b50c41a9a16912387e3c1
SHA1

52ae836393e634161420fd863c874383424a7554
SHA256

d9591561d1734fd90d7112d639c162fb3dc1910aeb77d8517b0ed14ee96c33eb
SHA512

cd6db4c6adec8704d82a0efc7800e5256d556189ae8abb4402d7a9dd224dc14558dede4f752ba2fd85cdc60e68de5b8864cfdd04461f8520c30735839233a11d
SSDEEP

98304:6zp35bfcuES0LuX2kBGQnfSJScysP9NPyA8KDbEo9ZLHPjUdLH68GuvT84:61Nf0LuXXGA7FA9NPyAFcC9ea8B3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	5016	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 5016	1712	file.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	file.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	file.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	file.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	file.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5016	rundll32.exe
5016	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5016	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 5016	1712	file.exe	82
PID 1712 wrote to memory of 5016	1712	file.exe	82
PID 1712 wrote to memory of 5016	1712	file.exe	82
PID 1712 wrote to memory of 5016	1712	file.exe	82

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\646a9946-d110-45e4-9694-7f4449423a86.tmp

Filesize
85KB

MD5
a5e8325a46bc84636d7db83520e57167

SHA1
4fd6f878b368fc76782805aec08d08e831357769

SHA256
43307d12c1ff7e50bec7e011cc421d07fa2b80c1f62ce25e1c3725cc7758f089

SHA512
507a692b67de06cc46a7019cd51d2e2b50419a2671d6125f890216f705e6f36424d7ab6b157d3b4bdf40103b1683169329d2d85813611ca179373fa7a1e3875d

Download Submit
C:\Users\Admin\AppData\Local\Temp\93ae4977-351e-4d12-8e91-5a7da1d83e8a.tmp

Filesize
23KB

MD5
2e0a52964e4f43a9830f01775bcb061b

SHA1
deedc2124380dcc834798466b7ae8ca986aba82f

SHA256
3884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b

SHA512
56c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYMUGYHL-20220901-1118a.log

Filesize
182KB

MD5
fc884470343819d1ce5d38d0d731c141

SHA1
3665ddbe5619e9027f0ea87dd58a50177decd9cc

SHA256
bbaa20497843b541ff16df5d313d0ae09a07753533de70b364672eff60d919ca

SHA512
fe7a3a1410f83b11023a74b6cbb0b9512ced6111d5a5f33f6247db315901a7d62b9e9e63ea27be44b130dbab0a38fb2f08bb4efd22a509b03593de64f8ff60ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
25KB

MD5
9d10f854940df634ca840710b5bab312

SHA1
4fbced512f60578a918a6a099b1d898586204add

SHA256
d29a41b75f239f44583c1bba3120b2adaea44e4a3e22a75609590ce213d1690c

SHA512
19a28b906bc1353def4dc3012c282ad313edcd8279931228bd7d5e124872c0b2b6baf033302ae3ba6fb4a84caf0d581856b79405117e9605838f163ad1ec9381

Download Submit
C:\Users\Admin\AppData\Local\Temp\StructuredQuery.log

Filesize
4KB

MD5
b2c73bb7e8ac5639eec536a1cee5abd5

SHA1
27ac80503aa3827fef879b5ae4e8546da1285f3d

SHA256
c7ac663de6c20c909c93ed1fa786259400c56bee376191eeb3c1534ea66a2357

SHA512
57c6314370840a96847d16f26a1f60b1e57647b67692f8deab92e4120b657a3eac7d001cdca0467c32cefe74a0450f1076d7eb484712a4e45edc0d0bd3db3de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tqowreresqesio.tmp

Filesize
3.5MB

MD5
986d821f783e659b975b2a59585b6235

SHA1
7a11d6ea48d35573772d248553ad831bd74e77ba

SHA256
311f57e791a79007b5cedbd9f520986ea3e2b6b05112d6eac5d113d9a2c9eb60

SHA512
580ba23d1bda3066120fcc8b37c845affe8a83f4bf6af56f94abd8b368c4087c790cad2d3f38233040677abb1523ba48ae2f75eb50401c9877612ecde51d3ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
e949db8f55991884a153aaf3888575bc

SHA1
e493e81e97c9589339046d5418a5dcf0fab1e660

SHA256
72322baaa14f01ab12ba14b00d66e2b2178f3f3d249bb0542a0f49fc59de808c

SHA512
368c7c3f68d8c15ded551ed9b87bc78b79bc0aed7fa3d7ef4006a130c5cf69caec0e5f29962882a5fcaed43580adb2da574cc2c9b178b96d64147b8ecf6ba97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7626.txt

Filesize
414KB

MD5
1665e1695efb8cff7253aa22d3b8d1af

SHA1
bb5cfec3bfdba7957199595d25dc5871ba1e55d9

SHA256
29ae5501fbe82cf6ca45bc724e22db29fe115d5ee4ff67c1fac3055eaec04816

SHA512
c9abb0bc028617a4152a27ce89a1b92f973d23fcc7cc6d2893c4a714f65ffd36255c9874c5bfacad4d514e7b67ecf5c37dd9cf017a25584c925c9bc490d0e9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI75EB.txt

Filesize
11KB

MD5
30641abfdbbbfae51f702a1c8c8ddbef

SHA1
ffcb0ed2708904f75756cc834fe004a0070994d2

SHA256
095ff071270b4125d9b1260caaa26c27d2045fd10245691b72a9132213e74f15

SHA512
8edb8eee4e0112d6140ccc7dcbd7cb4acd8c6ffa1625bf537605e144a516ea9596d5a864b91b34ede51f42c0ad6abd1c41557d15a64912502ecea67b8e8d42c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.9NXQXXLFST89_0__.Public.InstallAgent.dat

Filesize
123KB

MD5
4beb06c816dbc684a80dcee9ab488539

SHA1
bb62b781d8e6e6668216d15973303df4af9debe6

SHA256
dc169bef642a9c41ebb1747c89f1d12f0fa8eb37821345a24361cb47550a7fb5

SHA512
79c6bf53d25478edaf8998a52846171c786abaff6a2ce238baadcdad659fd0da375e175fe72a3cfd4bcfab5df0f1d9b678a7e405dce3b4354c8537ebe85bd740

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct4ED3.tmp

Filesize
62KB

MD5
2e8f497235815362c3d2fe5f4d56010c

SHA1
c6c9c84fbdb7b85261ba818adbc18cab8158d692

SHA256
4420111c2dcd4928407eb5dec0c7270d382375392635959c816faf8b50cb95e3

SHA512
046993e0cbc526bda57a098cbe3902cc1ee81f90540fadd9004a2ac800b6f37703222986de994a07c175555c51cb641e2f71e9c560b6f174fe039b8dc1217133

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC515.tmp

Filesize
62KB

MD5
2e8f497235815362c3d2fe5f4d56010c

SHA1
c6c9c84fbdb7b85261ba818adbc18cab8158d692

SHA256
4420111c2dcd4928407eb5dec0c7270d382375392635959c816faf8b50cb95e3

SHA512
046993e0cbc526bda57a098cbe3902cc1ee81f90540fadd9004a2ac800b6f37703222986de994a07c175555c51cb641e2f71e9c560b6f174fe039b8dc1217133

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
697B

MD5
fe4f6a24e5ab9d2d90051411307cf3a8

SHA1
a65b12b4d8e225eda13862b7ed6f30f56abb9569

SHA256
5ffbef5b65d7969e912ccdad478d225a1927480b6da0f6fa30156ca5eddb7ef5

SHA512
6e6159b5b13f21a2c13cffd92496d384aad7871fc2af079870b12068f9b646a785841b486c94993076cd25638ec8a0abb4aee5451d9602f05469e220f0747c0d

Download Submit
memory/1712-140-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1712-139-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1712-165-0x0000000002D70000-0x00000000038AE000-memory.dmp

Filesize
11.2MB

Download
memory/1712-163-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/1712-133-0x0000000002D70000-0x00000000038AE000-memory.dmp

Filesize
11.2MB

Download
memory/1712-134-0x0000000002D70000-0x00000000038AE000-memory.dmp

Filesize
11.2MB

Download
memory/1712-143-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1712-142-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1712-141-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1712-135-0x0000000002D70000-0x00000000038AE000-memory.dmp

Filesize
11.2MB

Download
memory/1712-132-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/1712-136-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1712-138-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/1712-137-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/5016-146-0x0000000003D60000-0x0000000003EA0000-memory.dmp

Filesize
1.2MB

Download
memory/5016-162-0x0000000003160000-0x0000000003C9E000-memory.dmp

Filesize
11.2MB

Download
memory/5016-145-0x0000000003160000-0x0000000003C9E000-memory.dmp

Filesize
11.2MB

Download
memory/5016-148-0x0000000000C00000-0x000000000161F000-memory.dmp

Filesize
10.1MB

Download
memory/5016-164-0x0000000003160000-0x0000000003C9E000-memory.dmp

Filesize
11.2MB

Download
memory/5016-147-0x0000000003D60000-0x0000000003EA0000-memory.dmp

Filesize
1.2MB

Download