65ef6cb7beb0da52605784280f431276c3026b9513371d377076ea64be3ea185

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18-03-2023 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65ef6cb7beb0da52605784280f431276c3026b9513371d377076ea64be3ea185.exe
Size

2.7MB
MD5

07ecdfde07d15a9516f72af2a674acaa
SHA1

0e0acf62499e1a1e91aaf02d845fb1aac2c9471e
SHA256

65ef6cb7beb0da52605784280f431276c3026b9513371d377076ea64be3ea185
SHA512

699cfd2ed91e47dcb472d851b8ee7a2779f4a378c0d423ae6a9a30fd8124b7d5e60a8aa431e09e7675ec0dcd1d7afaa0943e283cac1c9edbf466a7946e4ca2b1
SSDEEP

49152:ysiDCSANAVZi4mVNetY/ADY3qEiI7m39KyQ3ZHB+E9TbrOVztYB:y/3AuZdtY/ADYabtKlBHdrOVzu

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	4120	rundll32.exe
3	4120	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4120	rundll32.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 4148	4120	rundll32.exe	67
PID 4120 set thread context of 3584	4120	rundll32.exe	69
PID 4120 set thread context of 3484	4120	rundll32.exe	70
PID 4120 set thread context of 5052	4120	rundll32.exe	71
PID 4120 set thread context of 4992	4120	rundll32.exe	72
PID 4120 set thread context of 508	4120	rundll32.exe	73
PID 4120 set thread context of 860	4120	rundll32.exe	74
PID 4120 set thread context of 1264	4120	rundll32.exe	75
PID 4120 set thread context of 1644	4120	rundll32.exe	76
PID 4120 set thread context of 2568	4120	rundll32.exe	77
PID 4120 set thread context of 3440	4120	rundll32.exe	78
PID 4120 set thread context of 1016	4120	rundll32.exe	79
PID 4120 set thread context of 4316	4120	rundll32.exe	80
PID 4120 set thread context of 2064	4120	rundll32.exe	81
PID 4120 set thread context of 1400	4120	rundll32.exe	82
PID 4120 set thread context of 4428	4120	rundll32.exe	83
PID 4120 set thread context of 4028	4120	rundll32.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
4148	rundll32.exe
3584	rundll32.exe
3484	rundll32.exe
5052	rundll32.exe
4992	rundll32.exe
508	rundll32.exe
860	rundll32.exe
1264	rundll32.exe
1644	rundll32.exe
2568	rundll32.exe
3440	rundll32.exe
1016	rundll32.exe
4316	rundll32.exe
2064	rundll32.exe
1400	rundll32.exe
4428	rundll32.exe
4028	rundll32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4120	4116	65ef6cb7beb0da52605784280f431276c3026b9513371d377076ea64be3ea185.exe	66
PID 4116 wrote to memory of 4120	4116	65ef6cb7beb0da52605784280f431276c3026b9513371d377076ea64be3ea185.exe	66
PID 4116 wrote to memory of 4120	4116	65ef6cb7beb0da52605784280f431276c3026b9513371d377076ea64be3ea185.exe	66
PID 4120 wrote to memory of 4148	4120	rundll32.exe	67
PID 4120 wrote to memory of 4148	4120	rundll32.exe	67
PID 4120 wrote to memory of 4148	4120	rundll32.exe	67
PID 4120 wrote to memory of 3584	4120	rundll32.exe	69
PID 4120 wrote to memory of 3584	4120	rundll32.exe	69
PID 4120 wrote to memory of 3584	4120	rundll32.exe	69
PID 4120 wrote to memory of 3484	4120	rundll32.exe	70
PID 4120 wrote to memory of 3484	4120	rundll32.exe	70
PID 4120 wrote to memory of 3484	4120	rundll32.exe	70
PID 4120 wrote to memory of 5052	4120	rundll32.exe	71
PID 4120 wrote to memory of 5052	4120	rundll32.exe	71
PID 4120 wrote to memory of 5052	4120	rundll32.exe	71
PID 4120 wrote to memory of 4992	4120	rundll32.exe	72
PID 4120 wrote to memory of 4992	4120	rundll32.exe	72
PID 4120 wrote to memory of 4992	4120	rundll32.exe	72
PID 4120 wrote to memory of 508	4120	rundll32.exe	73
PID 4120 wrote to memory of 508	4120	rundll32.exe	73
PID 4120 wrote to memory of 508	4120	rundll32.exe	73
PID 4120 wrote to memory of 860	4120	rundll32.exe	74
PID 4120 wrote to memory of 860	4120	rundll32.exe	74
PID 4120 wrote to memory of 860	4120	rundll32.exe	74
PID 4120 wrote to memory of 1264	4120	rundll32.exe	75
PID 4120 wrote to memory of 1264	4120	rundll32.exe	75
PID 4120 wrote to memory of 1264	4120	rundll32.exe	75
PID 4120 wrote to memory of 1644	4120	rundll32.exe	76
PID 4120 wrote to memory of 1644	4120	rundll32.exe	76
PID 4120 wrote to memory of 1644	4120	rundll32.exe	76
PID 4120 wrote to memory of 2568	4120	rundll32.exe	77
PID 4120 wrote to memory of 2568	4120	rundll32.exe	77
PID 4120 wrote to memory of 2568	4120	rundll32.exe	77
PID 4120 wrote to memory of 3440	4120	rundll32.exe	78
PID 4120 wrote to memory of 3440	4120	rundll32.exe	78
PID 4120 wrote to memory of 3440	4120	rundll32.exe	78
PID 4120 wrote to memory of 1016	4120	rundll32.exe	79
PID 4120 wrote to memory of 1016	4120	rundll32.exe	79
PID 4120 wrote to memory of 1016	4120	rundll32.exe	79
PID 4120 wrote to memory of 4316	4120	rundll32.exe	80
PID 4120 wrote to memory of 4316	4120	rundll32.exe	80
PID 4120 wrote to memory of 4316	4120	rundll32.exe	80
PID 4120 wrote to memory of 2064	4120	rundll32.exe	81
PID 4120 wrote to memory of 2064	4120	rundll32.exe	81
PID 4120 wrote to memory of 2064	4120	rundll32.exe	81
PID 4120 wrote to memory of 1400	4120	rundll32.exe	82
PID 4120 wrote to memory of 1400	4120	rundll32.exe	82
PID 4120 wrote to memory of 1400	4120	rundll32.exe	82
PID 4120 wrote to memory of 4428	4120	rundll32.exe	83
PID 4120 wrote to memory of 4428	4120	rundll32.exe	83
PID 4120 wrote to memory of 4428	4120	rundll32.exe	83
PID 4120 wrote to memory of 4028	4120	rundll32.exe	84
PID 4120 wrote to memory of 4028	4120	rundll32.exe	84
PID 4120 wrote to memory of 4028	4120	rundll32.exe	84

C:\Users\Admin\AppData\Local\Temp\65ef6cb7beb0da52605784280f431276c3026b9513371d377076ea64be3ea185.exe
"C:\Users\Admin\AppData\Local\Temp\65ef6cb7beb0da52605784280f431276c3026b9513371d377076ea64be3ea185.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4148
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3584
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3484
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:5052
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4992
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:508
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:860
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1264
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1644
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2568
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3440
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1016
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4316
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2064
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1400
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4428
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
403KB

MD5
b4d3016a1cccde90a62b685149c832f9

SHA1
5d6c4ba3474e6544bd24343da564e90bba89f6f7

SHA256
df6afa046a72bb55e8984cf9e2870dc62112e4b81d4fef5a94c98e1c4386e373

SHA512
abf5e15b40fa03eb9390854199b9feaf0132aac756c5f07d45c81f58c8b4d909833a996a19ccfef7abb905ddb9206591b1eda49a4674bc75a7c5a9c6372590e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll

Filesize
3.2MB

MD5
1fca53bdee43be001791bae4b413640e

SHA1
52fd3902f82599e8da8c02811ccefddbfcff9214

SHA256
745879c9b1c48ffc075713fb4de057c71d308944347d7611c0a9d4431aa24b64

SHA512
ff586a8ab982a57f6eb7b01bec87d09e1e3246dc2e43af4ab99b2a5f98bd0064228c1b094f70045e8c782001aee071726407b2d4fbfe8f25954f834576a0518f

Download Submit
\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll

Filesize
3.2MB

MD5
1fca53bdee43be001791bae4b413640e

SHA1
52fd3902f82599e8da8c02811ccefddbfcff9214

SHA256
745879c9b1c48ffc075713fb4de057c71d308944347d7611c0a9d4431aa24b64

SHA512
ff586a8ab982a57f6eb7b01bec87d09e1e3246dc2e43af4ab99b2a5f98bd0064228c1b094f70045e8c782001aee071726407b2d4fbfe8f25954f834576a0518f

Download Submit
memory/508-299-0x000001A8763F0000-0x000001A876698000-memory.dmp

Filesize
2.7MB

Download
memory/508-304-0x000001A8763F0000-0x000001A876698000-memory.dmp

Filesize
2.7MB

Download
memory/860-327-0x0000023C59C40000-0x0000023C59EE8000-memory.dmp

Filesize
2.7MB

Download
memory/860-323-0x0000023C59C40000-0x0000023C59EE8000-memory.dmp

Filesize
2.7MB

Download
memory/1016-436-0x0000026754DD0000-0x0000026755078000-memory.dmp

Filesize
2.7MB

Download
memory/1016-440-0x0000026754DD0000-0x0000026755078000-memory.dmp

Filesize
2.7MB

Download
memory/1264-345-0x0000017D7B090000-0x0000017D7B338000-memory.dmp

Filesize
2.7MB

Download
memory/1264-349-0x0000017D7B090000-0x0000017D7B338000-memory.dmp

Filesize
2.7MB

Download
memory/1400-503-0x000002AA5F310000-0x000002AA5F5B8000-memory.dmp

Filesize
2.7MB

Download
memory/1400-508-0x000002AA5F310000-0x000002AA5F5B8000-memory.dmp

Filesize
2.7MB

Download
memory/1644-372-0x000001DAE6330000-0x000001DAE65D8000-memory.dmp

Filesize
2.7MB

Download
memory/1644-368-0x000001DAE6330000-0x000001DAE65D8000-memory.dmp

Filesize
2.7MB

Download
memory/2064-481-0x0000019C27230000-0x0000019C274D8000-memory.dmp

Filesize
2.7MB

Download
memory/2064-485-0x0000019C27230000-0x0000019C274D8000-memory.dmp

Filesize
2.7MB

Download
memory/2568-390-0x000001F92AD30000-0x000001F92AFD8000-memory.dmp

Filesize
2.7MB

Download
memory/2568-395-0x000001F92AD30000-0x000001F92AFD8000-memory.dmp

Filesize
2.7MB

Download
memory/3440-413-0x00000257C2C00000-0x00000257C2EA8000-memory.dmp

Filesize
2.7MB

Download
memory/3440-417-0x00000257C2C00000-0x00000257C2EA8000-memory.dmp

Filesize
2.7MB

Download
memory/3484-235-0x00000159704A0000-0x0000015970748000-memory.dmp

Filesize
2.7MB

Download
memory/3484-229-0x00000159704A0000-0x0000015970748000-memory.dmp

Filesize
2.7MB

Download
memory/3484-227-0x00007FFC4E200000-0x00007FFC4E201000-memory.dmp

Filesize
4KB

Download
memory/3584-205-0x0000025CE61C0000-0x0000025CE6300000-memory.dmp

Filesize
1.2MB

Download
memory/3584-203-0x00007FFC4E200000-0x00007FFC4E201000-memory.dmp

Filesize
4KB

Download
memory/3584-211-0x0000025CE4770000-0x0000025CE4A18000-memory.dmp

Filesize
2.7MB

Download
memory/3584-209-0x0000025CE4770000-0x0000025CE4A18000-memory.dmp

Filesize
2.7MB

Download
memory/3584-208-0x0000025CE4770000-0x0000025CE4A18000-memory.dmp

Filesize
2.7MB

Download
memory/3584-207-0x0000025CE4770000-0x0000025CE4A18000-memory.dmp

Filesize
2.7MB

Download
memory/3584-204-0x0000025CE61C0000-0x0000025CE6300000-memory.dmp

Filesize
1.2MB

Download
memory/4028-553-0x0000024AF4D70000-0x0000024AF5018000-memory.dmp

Filesize
2.7MB

Download
memory/4028-549-0x0000024AF4D70000-0x0000024AF5018000-memory.dmp

Filesize
2.7MB

Download
memory/4116-122-0x0000000000400000-0x0000000002D61000-memory.dmp

Filesize
41.4MB

Download
memory/4116-126-0x0000000005030000-0x000000000536F000-memory.dmp

Filesize
3.2MB

Download
memory/4116-120-0x0000000005030000-0x000000000536F000-memory.dmp

Filesize
3.2MB

Download
memory/4120-223-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-151-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-196-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-197-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/4120-199-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-198-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-200-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-193-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-192-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-190-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-125-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4120-206-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4120-186-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4120-131-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4120-176-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-148-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-213-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-216-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-217-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-218-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-220-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-222-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-221-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4120-149-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/4120-224-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-175-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-174-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-173-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/4120-150-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-195-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-160-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-161-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-172-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-170-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-169-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-168-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-166-0x0000000005BA0000-0x0000000006706000-memory.dmp

Filesize
11.4MB

Download
memory/4120-165-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4120-164-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4120-162-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4120-163-0x00000000067D0000-0x0000000006910000-memory.dmp

Filesize
1.2MB

Download
memory/4148-185-0x000001B33A410000-0x000001B33A6B8000-memory.dmp

Filesize
2.7MB

Download
memory/4148-179-0x00007FFC4E200000-0x00007FFC4E201000-memory.dmp

Filesize
4KB

Download
memory/4148-181-0x0000000000020000-0x00000000002B6000-memory.dmp

Filesize
2.6MB

Download
memory/4148-180-0x000001B33BE60000-0x000001B33BFA0000-memory.dmp

Filesize
1.2MB

Download
memory/4148-188-0x000001B33A410000-0x000001B33A6B8000-memory.dmp

Filesize
2.7MB

Download
memory/4148-184-0x000001B33A410000-0x000001B33A6B8000-memory.dmp

Filesize
2.7MB

Download
memory/4148-182-0x000001B33BE60000-0x000001B33BFA0000-memory.dmp

Filesize
1.2MB

Download
memory/4148-183-0x000001B33A410000-0x000001B33A6B8000-memory.dmp

Filesize
2.7MB

Download
memory/4316-458-0x000001CC341A0000-0x000001CC34448000-memory.dmp

Filesize
2.7MB

Download
memory/4316-462-0x000001CC341A0000-0x000001CC34448000-memory.dmp

Filesize
2.7MB

Download
memory/4428-526-0x00000208630F0000-0x0000020863398000-memory.dmp

Filesize
2.7MB

Download
memory/4428-530-0x00000208630F0000-0x0000020863398000-memory.dmp

Filesize
2.7MB

Download
memory/4992-276-0x0000022806B90000-0x0000022806E38000-memory.dmp

Filesize
2.7MB

Download
memory/4992-281-0x0000022806B90000-0x0000022806E38000-memory.dmp

Filesize
2.7MB

Download
memory/5052-254-0x0000027F1F030000-0x0000027F1F2D8000-memory.dmp

Filesize
2.7MB

Download
memory/5052-258-0x0000027F1F030000-0x0000027F1F2D8000-memory.dmp

Filesize
2.7MB

Download