8f3018a01f6fbc6bbe6999f8e6741dd05cb81da753dba99a92609b2e4c42ef58

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f3018a01f6fbc6bbe6999f8e6741dd05cb81da753dba99a92609b2e4c42ef58.exe
Size

3.4MB
MD5

74ab53043d59a203a24479aced6cca2b
SHA1

4d00759b4444d71c3feb83112b4adb1cb767cb57
SHA256

8f3018a01f6fbc6bbe6999f8e6741dd05cb81da753dba99a92609b2e4c42ef58
SHA512

835420bd10fb1b59e79ef051d0544d79fd318dbf651d4e4f7c557c7f04d6e6fe59c881f57fab7c7014597927786cbd9be1c0df54562e157b59b48e2750170a2d
SSDEEP

98304:bEfKX1/j2BsSjPrkWLCMbeZ9C6wYpKZ+gR:bN1/j2+uLdq9C6wYp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	3744	rundll32.exe
13	3744	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
3744	rundll32.exe
3744	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3744 set thread context of 3884	3744	rundll32.exe	94
PID 3744 set thread context of 2656	3744	rundll32.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4212	1820	WerFault.exe	82

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3884	rundll32.exe
2656	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 3744	1820	8f3018a01f6fbc6bbe6999f8e6741dd05cb81da753dba99a92609b2e4c42ef58.exe	83
PID 1820 wrote to memory of 3744	1820	8f3018a01f6fbc6bbe6999f8e6741dd05cb81da753dba99a92609b2e4c42ef58.exe	83
PID 1820 wrote to memory of 3744	1820	8f3018a01f6fbc6bbe6999f8e6741dd05cb81da753dba99a92609b2e4c42ef58.exe	83
PID 3744 wrote to memory of 3884	3744	rundll32.exe	94
PID 3744 wrote to memory of 3884	3744	rundll32.exe	94
PID 3744 wrote to memory of 3884	3744	rundll32.exe	94
PID 3744 wrote to memory of 2656	3744	rundll32.exe	96
PID 3744 wrote to memory of 2656	3744	rundll32.exe	96
PID 3744 wrote to memory of 2656	3744	rundll32.exe	96

C:\Users\Admin\AppData\Local\Temp\8f3018a01f6fbc6bbe6999f8e6741dd05cb81da753dba99a92609b2e4c42ef58.exe
"C:\Users\Admin\AppData\Local\Temp\8f3018a01f6fbc6bbe6999f8e6741dd05cb81da753dba99a92609b2e4c42ef58.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eptryroq.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15504
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3884
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15504
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 460
  2⤵
  - Program crash
  PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1820 -ip 1820
1⤵
PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eptryroq.dll

Filesize
3.3MB

MD5
d8c00e7cd6ffeed66f826da08c4257a3

SHA1
696278e05d8e026c50cc3cc8366deca2c409b389

SHA256
27a34c49601f42eadd4a08f099672f8f430c87681fdcce0d0d2a7883d253c119

SHA512
5752bdf6f339bd7386c3a7dc7d695fb8aa05642b865eb49eade1445a0144489a7626f9410255e7bb752c88882b5b91949f31fdaa64972e5477b1606465dc7062

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eptryroq.dll

Filesize
3.3MB

MD5
d8c00e7cd6ffeed66f826da08c4257a3

SHA1
696278e05d8e026c50cc3cc8366deca2c409b389

SHA256
27a34c49601f42eadd4a08f099672f8f430c87681fdcce0d0d2a7883d253c119

SHA512
5752bdf6f339bd7386c3a7dc7d695fb8aa05642b865eb49eade1445a0144489a7626f9410255e7bb752c88882b5b91949f31fdaa64972e5477b1606465dc7062

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eptryroq.dll

Filesize
3.3MB

MD5
d8c00e7cd6ffeed66f826da08c4257a3

SHA1
696278e05d8e026c50cc3cc8366deca2c409b389

SHA256
27a34c49601f42eadd4a08f099672f8f430c87681fdcce0d0d2a7883d253c119

SHA512
5752bdf6f339bd7386c3a7dc7d695fb8aa05642b865eb49eade1445a0144489a7626f9410255e7bb752c88882b5b91949f31fdaa64972e5477b1606465dc7062

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3956.log

Filesize
470B

MD5
74b484c4f522b4444ef1a5ba870fe1a9

SHA1
db443cfd18c203775b836e84166bd73f412d3a65

SHA256
845d2c4a027bccf353d07ef8f4430f72f936f21d5faf06d9ebd0ace92fb026fe

SHA512
13e12d247cd4d2a4969e9b9f411ac809703b7ec3e56e2a5963f5cf3f26f4c49b873c4e2c26d558d816f663553c056de5376e90909ccd540f5ef77fcf872f7a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI58A3.txt

Filesize
11KB

MD5
a54e29c5055fc0154bf69eff5ec0145f

SHA1
f8ad7eb297fb18f2bbaa4373b1ac4fa3b5a0f701

SHA256
67932638c36d9c7ab6785f0bafb58e989828243c2b8d7678ee8f6f2f3a62ea2c

SHA512
d67a7d010fc578bdccd2f2559da68eac3e272e892acf7d93516a33e2728569eabaf5de3a2bfc4a479a160108eb8f5251964c0a6ad576b9f3e6d147929369cb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
266KB

MD5
3ee19144dcc99975865fa98db51e00b6

SHA1
d97f962744a6a0bb5de9b28bbf29dbfd43cafc7e

SHA256
e45d194746bd615d2a8ccccb465ff56a9f518af571bf6eab0563c3963033d5e0

SHA512
0a55e86b1095f9f557bbf1b1953001f57eac16a06660e20be04f2db5a77c0160634089dbb3908ec9a3947da52ed29a29db1859e5a2ccaccdd14178f855627518

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctE725.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
memory/1820-134-0x0000000002D60000-0x000000000327B000-memory.dmp

Filesize
5.1MB

Download
memory/1820-141-0x0000000000400000-0x0000000000C37000-memory.dmp

Filesize
8.2MB

Download
memory/1820-142-0x0000000002D60000-0x000000000327B000-memory.dmp

Filesize
5.1MB

Download
memory/2656-259-0x000001CB14C80000-0x000001CB14CA7000-memory.dmp

Filesize
156KB

Download
memory/2656-254-0x000001CB16930000-0x000001CB16A70000-memory.dmp

Filesize
1.2MB

Download
memory/2656-252-0x00007FFBDAC30000-0x00007FFBDAC31000-memory.dmp

Filesize
4KB

Download
memory/2656-253-0x000001CB16930000-0x000001CB16A70000-memory.dmp

Filesize
1.2MB

Download
memory/2656-255-0x000001CB14EE0000-0x000001CB15183000-memory.dmp

Filesize
2.6MB

Download
memory/2656-257-0x000001CB14EE0000-0x000001CB15183000-memory.dmp

Filesize
2.6MB

Download
memory/3744-226-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/3744-250-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-214-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-215-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-216-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/3744-217-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-218-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-219-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-221-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-222-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-223-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-225-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-176-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-227-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-139-0x00000000028B0000-0x0000000002C0B000-memory.dmp

Filesize
3.4MB

Download
memory/3744-228-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-140-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/3744-256-0x00000000028B0000-0x0000000002C0B000-memory.dmp

Filesize
3.4MB

Download
memory/3744-229-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-172-0x00000000028B0000-0x0000000002C0B000-memory.dmp

Filesize
3.4MB

Download
memory/3744-234-0x00000000028B0000-0x0000000002C0B000-memory.dmp

Filesize
3.4MB

Download
memory/3744-173-0x00000000028B0000-0x0000000002C0B000-memory.dmp

Filesize
3.4MB

Download
memory/3744-251-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-174-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-175-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/3744-241-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-243-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-244-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-246-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-247-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3744-248-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/3744-177-0x0000000003B30000-0x0000000004672000-memory.dmp

Filesize
11.3MB

Download
memory/3744-249-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/3884-240-0x000001AEF49A0000-0x000001AEF49C7000-memory.dmp

Filesize
156KB

Download
memory/3884-238-0x000001AEF2EA0000-0x000001AEF3143000-memory.dmp

Filesize
2.6MB

Download
memory/3884-236-0x000001AEF2EA0000-0x000001AEF3143000-memory.dmp

Filesize
2.6MB

Download
memory/3884-235-0x0000000000A30000-0x0000000000CC2000-memory.dmp

Filesize
2.6MB

Download
memory/3884-233-0x000001AEF2EA0000-0x000001AEF3143000-memory.dmp

Filesize
2.6MB

Download
memory/3884-232-0x000001AEF4760000-0x000001AEF48A0000-memory.dmp

Filesize
1.2MB

Download
memory/3884-231-0x000001AEF4760000-0x000001AEF48A0000-memory.dmp

Filesize
1.2MB

Download
memory/3884-230-0x00007FFBDAC30000-0x00007FFBDAC31000-memory.dmp

Filesize
4KB

Download