Overview
overview
8Static
static
1CmdLine.exe
windows7-x64
5CmdLine.exe
windows10-2004-x64
6Common.dll
windows7-x64
5Common.dll
windows10-2004-x64
5DropBoxExe.exe
windows7-x64
1DropBoxExe.exe
windows10-2004-x64
1StarBurn.dll
windows7-x64
3StarBurn.dll
windows10-2004-x64
3StuffIt14.url
windows7-x64
6StuffIt14.url
windows10-2004-x64
8StuffItConnect.dll
windows7-x64
3StuffItConnect.dll
windows10-2004-x64
3StuffItEngine.dll
windows7-x64
5StuffItEngine.dll
windows10-2004-x64
5Analysis
-
max time kernel
34s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 02:08
Static task
static1
Behavioral task
behavioral1
Sample
CmdLine.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
CmdLine.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
Common.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
Common.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
DropBoxExe.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
DropBoxExe.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
StarBurn.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
StarBurn.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
StuffIt14.url
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
StuffIt14.url
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
StuffItConnect.dll
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
StuffItConnect.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
StuffItEngine.dll
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
StuffItEngine.dll
Resource
win10v2004-20220812-en
General
-
Target
StuffItEngine.dll
-
Size
1012.9MB
-
MD5
ef2868fe1076f5b46db73953886ccd31
-
SHA1
9cd52d848938fe8059caf5bc34cd8be9b13db9fe
-
SHA256
2ec8631abe9bc1900ca64b997c53e861b04ec1a67fbef3778fe1f46ff125b98d
-
SHA512
aa61d2b84cc833a6862a0cb24e911bed0728a1d6e57b810658181105462deb63d00061c53dae9706ba9c139ff801279a8dc2a5011cc01f730b0f30b09fd55a70
-
SSDEEP
393216:n4wsmYMOqC+tpqrfr2ialtyZqmCB46NwtU5a8Ri36puC3e/cN+:4w8DbfrwYAjBstUa8U36oCOh
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
rundll32.exepid process 1096 rundll32.exe 1096 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1708 1096 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1096 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1228 wrote to memory of 1096 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1096 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1096 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1096 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1096 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1096 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 1096 1228 rundll32.exe rundll32.exe PID 1096 wrote to memory of 1708 1096 rundll32.exe WerFault.exe PID 1096 wrote to memory of 1708 1096 rundll32.exe WerFault.exe PID 1096 wrote to memory of 1708 1096 rundll32.exe WerFault.exe PID 1096 wrote to memory of 1708 1096 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\StuffItEngine.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\StuffItEngine.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 6043⤵
- Program crash
PID:1708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-54-0x0000000000000000-mapping.dmp
-
memory/1096-55-0x0000000075C41000-0x0000000075C43000-memory.dmpFilesize
8KB
-
memory/1096-56-0x0000000001FF0000-0x0000000006609000-memory.dmpFilesize
70.1MB
-
memory/1096-57-0x0000000001FF0000-0x0000000006609000-memory.dmpFilesize
70.1MB
-
memory/1096-59-0x0000000001FF0000-0x0000000006609000-memory.dmpFilesize
70.1MB
-
memory/1096-62-0x0000000001FF0000-0x0000000006609000-memory.dmpFilesize
70.1MB
-
memory/1096-64-0x0000000001FF0000-0x0000000006609000-memory.dmpFilesize
70.1MB
-
memory/1096-65-0x0000000001FF0000-0x0000000006609000-memory.dmpFilesize
70.1MB
-
memory/1708-63-0x0000000000000000-mapping.dmp