92fb4e56f561a72180c302bcd931e49af7395e3945f7f14d14b4e1d41e5dc442

General

Target

92fb4e56f561a72180c302bcd931e49af7395e3945f7f14d14b4e1d41e5dc442.exe
Size

4.8MB
MD5

b945c78f3838cfb6c9ac404d68b153b7
SHA1

a0f5d36a31e2715737ca74c51848f30d831e96ee
SHA256

92fb4e56f561a72180c302bcd931e49af7395e3945f7f14d14b4e1d41e5dc442
SHA512

c4a980e3ab27671719e842261791139ad8409c7f376ecc747534888a4fd98b7a43b1426800a0f4d2479946fd5f72334a8debb1592fb812346e2198f3e8774802
SSDEEP

98304:aHlkanT+deP0BLPv0VttcfCo0AvYG5kpWP7TbIp1:yVT+BBLnSttcf0AvH5kEzA7

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	212	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
212	rundll32.exe
212	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 3868	212	rundll32.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3864	4024	WerFault.exe	85

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3868	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 212	4024	92fb4e56f561a72180c302bcd931e49af7395e3945f7f14d14b4e1d41e5dc442.exe	86
PID 4024 wrote to memory of 212	4024	92fb4e56f561a72180c302bcd931e49af7395e3945f7f14d14b4e1d41e5dc442.exe	86
PID 4024 wrote to memory of 212	4024	92fb4e56f561a72180c302bcd931e49af7395e3945f7f14d14b4e1d41e5dc442.exe	86
PID 212 wrote to memory of 3868	212	rundll32.exe	95
PID 212 wrote to memory of 3868	212	rundll32.exe	95
PID 212 wrote to memory of 3868	212	rundll32.exe	95

C:\Users\Admin\AppData\Local\Temp\92fb4e56f561a72180c302bcd931e49af7395e3945f7f14d14b4e1d41e5dc442.exe
"C:\Users\Admin\AppData\Local\Temp\92fb4e56f561a72180c302bcd931e49af7395e3945f7f14d14b4e1d41e5dc442.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Uieiuateoq.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 19207
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 412
  2⤵
  - Program crash
  PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4024 -ip 4024
1⤵
PID:232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uieiuateoq.dll

Filesize
5.4MB

MD5
4305a9c9f554b9d36605cc682a5d085f

SHA1
0fd982963faf166d37c318596bb64933c10bedc4

SHA256
ede61fb4b35bfd235b09d5ada91a1b7fb96334e9c272d9d26ec9fb94b5e2c891

SHA512
5d11110f9719939f86ec4775430448f29b2fae17b57848cebc6e136a6cc708c109a59069a88643c47f897f1eecdba0e65ce91f9c405e42089a7e5f09f02afd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uieiuateoq.dll

Filesize
5.4MB

MD5
4305a9c9f554b9d36605cc682a5d085f

SHA1
0fd982963faf166d37c318596bb64933c10bedc4

SHA256
ede61fb4b35bfd235b09d5ada91a1b7fb96334e9c272d9d26ec9fb94b5e2c891

SHA512
5d11110f9719939f86ec4775430448f29b2fae17b57848cebc6e136a6cc708c109a59069a88643c47f897f1eecdba0e65ce91f9c405e42089a7e5f09f02afd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uieiuateoq.dll

Filesize
5.4MB

MD5
4305a9c9f554b9d36605cc682a5d085f

SHA1
0fd982963faf166d37c318596bb64933c10bedc4

SHA256
ede61fb4b35bfd235b09d5ada91a1b7fb96334e9c272d9d26ec9fb94b5e2c891

SHA512
5d11110f9719939f86ec4775430448f29b2fae17b57848cebc6e136a6cc708c109a59069a88643c47f897f1eecdba0e65ce91f9c405e42089a7e5f09f02afd17

Download Submit
memory/212-194-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-178-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-140-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/212-196-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-175-0x0000000002750000-0x0000000002CCE000-memory.dmp

Filesize
5.5MB

Download
memory/212-176-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-177-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/212-197-0x0000000004850000-0x0000000004990000-memory.dmp

Filesize
1.2MB

Download
memory/212-179-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-188-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-190-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/212-189-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-192-0x00000000045C0000-0x0000000004700000-memory.dmp

Filesize
1.2MB

Download
memory/212-198-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-193-0x0000000002750000-0x0000000002CCE000-memory.dmp

Filesize
5.5MB

Download
memory/212-213-0x0000000002750000-0x0000000002CCE000-memory.dmp

Filesize
5.5MB

Download
memory/212-204-0x00000000039A0000-0x00000000044F9000-memory.dmp

Filesize
11.3MB

Download
memory/212-139-0x0000000002750000-0x0000000002CCE000-memory.dmp

Filesize
5.5MB

Download
memory/212-191-0x00000000045C0000-0x0000000004700000-memory.dmp

Filesize
1.2MB

Download
memory/212-200-0x0000000004850000-0x0000000004990000-memory.dmp

Filesize
1.2MB

Download
memory/212-201-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/212-202-0x00000000045C0000-0x0000000004700000-memory.dmp

Filesize
1.2MB

Download
memory/212-203-0x00000000045C0000-0x0000000004700000-memory.dmp

Filesize
1.2MB

Download
memory/3868-205-0x00007FFF54840000-0x00007FFF54841000-memory.dmp

Filesize
4KB

Download
memory/3868-207-0x0000017724450000-0x0000017724590000-memory.dmp

Filesize
1.2MB

Download
memory/3868-209-0x0000017724450000-0x0000017724590000-memory.dmp

Filesize
1.2MB

Download
memory/3868-208-0x0000017722A00000-0x0000017722CB0000-memory.dmp

Filesize
2.7MB

Download
memory/3868-206-0x0000000000630000-0x00000000008CF000-memory.dmp

Filesize
2.6MB

Download
memory/3868-210-0x0000017722A00000-0x0000017722CB0000-memory.dmp

Filesize
2.7MB

Download
memory/3868-211-0x0000017722A00000-0x0000017722CB0000-memory.dmp

Filesize
2.7MB

Download
memory/3868-212-0x0000017724CF0000-0x0000017724D99000-memory.dmp

Filesize
676KB

Download
memory/4024-141-0x0000000000400000-0x0000000002735000-memory.dmp

Filesize
35.2MB

Download
memory/4024-138-0x00000000049F0000-0x00000000050C4000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing