ea933832e2b54394e17c2ca51f5d0e42a9a76dd1f6e3c0439d1415f77fa31548 | Triage

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 07:30 UTC

Sharing

Report Analysis Logs

General

Target

c80d627107db611cb805b7fdce880030.exe
Size

63KB
MD5

c80d627107db611cb805b7fdce880030
SHA1

efacc489df7020f605953c9bd16afbccc09e2824
SHA256

ea933832e2b54394e17c2ca51f5d0e42a9a76dd1f6e3c0439d1415f77fa31548
SHA512

f6532255995ba423ca954c099c696368f19c57cf85052fe74a94578ae6205dd0a5bb07295ca32d390b7c0535e54cca82020c54593b1f7018d3fa4a048c08850a
SSDEEP

1536:UjV8OL2JLAEEbBow9551m5HwgvTnjrrzQgPZT4rNuGOVm5SvDqm7UZdyhG:UJ8ZJYBoM1m5RznrzQq6rNBfgzY48

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe

Disables RegEdit via registry modification 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rundll32.exe

Disables Task Manager via registry modification
evasion

Modifies Shared Task Scheduler registry keys 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	dropper_286962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\IPC Configuration Utility = "IPC Configuration Utility"	dropper_286962.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{020487CC-FC04-4B1E-863F-D9801796230B} = "Windows Installer Class"	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	dropper_286962.exe
2560	load.exe

Loads dropped DLL 8 IoCs

pid	Process
1912	c80d627107db611cb805b7fdce880030.exe
1912	c80d627107db611cb805b7fdce880030.exe
1912	c80d627107db611cb805b7fdce880030.exe
1912	c80d627107db611cb805b7fdce880030.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe

Windows security modification 2 TTPs 4 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

Defacement

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Desktop\General	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	rundll32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wndutl32.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{020487CC-FC04-4B1E-863F-D9801796230B}\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wndutl32.dll"	dropper_286962.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{020487CC-FC04-4B1E-863F-D9801796230B}	dropper_286962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{020487CC-FC04-4B1E-863F-D9801796230B}\Apartment = "Apartment"	dropper_286962.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2936	1912	c80d627107db611cb805b7fdce880030.exe	28
PID 1912 wrote to memory of 2936	1912	c80d627107db611cb805b7fdce880030.exe	28
PID 1912 wrote to memory of 2936	1912	c80d627107db611cb805b7fdce880030.exe	28
PID 1912 wrote to memory of 2936	1912	c80d627107db611cb805b7fdce880030.exe	28
PID 1912 wrote to memory of 2560	1912	c80d627107db611cb805b7fdce880030.exe	29
PID 1912 wrote to memory of 2560	1912	c80d627107db611cb805b7fdce880030.exe	29
PID 1912 wrote to memory of 2560	1912	c80d627107db611cb805b7fdce880030.exe	29
PID 1912 wrote to memory of 2560	1912	c80d627107db611cb805b7fdce880030.exe	29
PID 2936 wrote to memory of 2372	2936	dropper_286962.exe	30
PID 2936 wrote to memory of 2372	2936	dropper_286962.exe	30
PID 2936 wrote to memory of 2372	2936	dropper_286962.exe	30
PID 2936 wrote to memory of 2372	2936	dropper_286962.exe	30
PID 2936 wrote to memory of 2372	2936	dropper_286962.exe	30
PID 2936 wrote to memory of 2372	2936	dropper_286962.exe	30
PID 2936 wrote to memory of 2372	2936	dropper_286962.exe	30
PID 2560 wrote to memory of 2380	2560	load.exe	31
PID 2560 wrote to memory of 2380	2560	load.exe	31
PID 2560 wrote to memory of 2380	2560	load.exe	31
PID 2560 wrote to memory of 2380	2560	load.exe	31

System policy modification 1 TTPs 8 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop = "1"	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c80d627107db611cb805b7fdce880030.exe
"C:\Users\Admin\AppData\Local\Temp\c80d627107db611cb805b7fdce880030.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\dropper_286962.exe
  "C:\Users\Admin\AppData\Local\Temp\dropper_286962.exe"
  2⤵
  - Modifies Shared Task Scheduler registry keys
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\wndutl32.dll,load
    3⤵
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Modifies Shared Task Scheduler registry keys
    - Loads dropped DLL
    - Windows security modification
    - Sets desktop wallpaper using registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - System policy modification
    PID:2372
- C:\Users\Admin\AppData\Local\Temp\load.exe
  "C:\Users\Admin\AppData\Local\Temp\load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\load.exe"
    3⤵
    PID:2380

Network

DNS

bestlocatehomes.com

Remote address:

8.8.8.8:53

Request

bestlocatehomes.com

IN A

Response

No results found

8.8.8.8:53

bestlocatehomes.com

dns

65 B
138 B
1
1

DNS Request

bestlocatehomes.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\dropper_286962.exe

Filesize
43KB

MD5
df0ad057821a5a5218125a7cf7375813

SHA1
0195d399cc9c705f70b06d8a9dd16fd50d494f16

SHA256
98ae0c7ec0479ae48fe9deaa6d5f16d733248a8ecd3137e213e2c84221881d75

SHA512
a05f64df4431414467e25b71af1c50e09c73b0eb85e2b6f9011393d837fcc56bf9c93857867c0ab71e7da3ba52e2a5693ca10a8a2c6bcb8ff54e5971c7db2016

Download Submit
\Users\Admin\AppData\Local\Temp\load.exe

Filesize
9KB

MD5
2074d9f84dabdaa9eca10d550797740c

SHA1
ae5c559a7c167c716bfd4c1fbdf6582a9112625a

SHA256
3e27f5e6be8ca368e9f49fbb0af15b253ad9f1a719248992a85fdc50d4d781ab

SHA512
b486868fa9dcf2dfac2069998c3a580ba8fe12a9dcba7bf4cfd44d06b021d53ef29ba4415a2780c8d239f708015f00b54c2b32e3ac869f792ae6d633c71d4589

Download Submit
\Users\Admin\AppData\Local\Temp\wndutl32.dll

Filesize
13KB

MD5
566881585b351cdcc4f66648c6b98a58

SHA1
fc996cda1a168532d6d7e899c4bb1684199262bb

SHA256
5bd5db0388afdc882eb196a9e03681944ef10cba658eef11fb89feac0eed4e30

SHA512
cc16ea70971a995a6788112e0a58a686272f18352d881274af3ec7d5a274edb30e3a910c0dc0a657f6c310475e959c853551dc350555f7c8add4d3613c66580c

Download Submit
memory/1912-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1912-1-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/1912-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1912-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2560-32-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2560-27-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/2560-41-0x0000000000400000-0x000000000090A000-memory.dmp

Filesize
5.0MB

Download
memory/2936-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2936-15-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2936-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2936-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download