Overview

overview

8

Static

static

3

c1be4671b4...da.dll

windows7-x64

8

c1be4671b4...da.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/08/2023, 15:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c1be4671b4f67c1902f14a732f0ea283f90db889116ee1de310823ce12b04dda.dll

  • Size

    1.7MB

  • MD5

    a8150e096396092c58f7bb78a7e1484f

  • SHA1

    e30e8b92824a9e3f351e1fa1fb66fb27cb0a679d

  • SHA256

    c1be4671b4f67c1902f14a732f0ea283f90db889116ee1de310823ce12b04dda

  • SHA512

    a5dc461a0b4d8fc79d341ddcd2f8f68bce187fe67ff0303fd8605e83b7d7e2496094cf1d2175ee7e8effef84d159f11ac1ba28cef0dafdfacc632a8ef7c323fd

  • SSDEEP

    49152:QXYLbix0dEDr+F46sPGiRPHKZ7WOLh7livfKYhiBWOh:QXYLWWCXfxPGihKZli5QWs

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1be4671b4f67c1902f14a732f0ea283f90db889116ee1de310823ce12b04dda.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1be4671b4f67c1902f14a732f0ea283f90db889116ee1de310823ce12b04dda.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Public\Music\10.ps1
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1384
      • C:\Users\Public\Music\22.exe
        C:\Users\Public\Music\22.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c start C:\ProgramData\MonkeyKing
          4⤵
          • Modifies registry class
          PID:4080
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2700
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3784

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\Music\10.ps1
            Filesize

            592B

            MD5

            f28d5da820677d92b40ab19ccc5a6795

            SHA1

            16423e998c5bae8b1004c7aa21ad1d44ae7cdee0

            SHA256

            0ada0bc8f24cc25139e3ea2959f09a6fc0d18bb74fd45991b5ca239bda56588e

            SHA512

            27d615853dc864e35364e71b0cd760becd36296e3b7bcfe9f75726088105464ad21e67ac42def50d466fd11bddf36c30efa0c3dae3e204bba8d126963c7c3d7b

            Download Submit

          • C:\Users\Public\Music\22.exe
            Filesize

            108KB

            MD5

            48c30975186d1e0e8e3f9b29b7d98321

            SHA1

            dd0ad4e37b44c70204b64cb75adb0f937130105b

            SHA256

            5aa75d506a8a0b066b402f9548e21c1f2b90c34facc0c38c651e382aa312ae54

            SHA512

            559a77befe73b420a7f490b615f1ad1477a998b5a79f8e786dbc6cc691d8e09d7f6bd852f2f58feec5786367869339c787b28e1397fceb1f9fe83b378cfe107c

            Download Submit

          • C:\Users\Public\Music\22.exe
            Filesize

            108KB

            MD5

            48c30975186d1e0e8e3f9b29b7d98321

            SHA1

            dd0ad4e37b44c70204b64cb75adb0f937130105b

            SHA256

            5aa75d506a8a0b066b402f9548e21c1f2b90c34facc0c38c651e382aa312ae54

            SHA512

            559a77befe73b420a7f490b615f1ad1477a998b5a79f8e786dbc6cc691d8e09d7f6bd852f2f58feec5786367869339c787b28e1397fceb1f9fe83b378cfe107c

            Download Submit

          • memory/3784-55-0x00007FFD6A6C0000-0x00007FFD6B181000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3784-50-0x00007FFD6A6C0000-0x00007FFD6B181000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4720-14-0x0000000003050000-0x00000000031F0000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4720-25-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-7-0x0000000002DB0000-0x0000000002EA0000-memory.dmp

            Filesize

            960KB

            Download

          • memory/4720-8-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-10-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-12-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-13-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-0-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-15-0x0000000002EC0000-0x0000000002EE4000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4720-16-0x00000000037C0000-0x0000000003805000-memory.dmp

            Filesize

            276KB

            Download

          • memory/4720-17-0x00000000042F0000-0x000000000446D000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4720-6-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-26-0x0000000002D30000-0x0000000002D7A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/4720-34-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-5-0x0000000002DA0000-0x0000000002DAC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4720-3-0x0000000002D30000-0x0000000002D7A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/4720-4-0x0000000002D90000-0x0000000002DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4720-1-0x0000000002D80000-0x0000000002D81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4720-2-0x0000000002D30000-0x0000000002D7A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/4720-61-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-63-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4720-64-0x0000000010000000-0x00000000104C3000-memory.dmp

            Filesize

            4.8MB

            Download