8b41f26e3063ae451f14111c69d28929e0ead8fbe4f11a40257761766553e657

General

Target

rundll3.exe
Size

5.6MB
MD5

be8e765b8622989c5e4aa6414c2b030c
SHA1

b6cb7f1ffcceff8fbe572594ffc6aa515420e0a0
SHA256

6fdb160c3b7a5813f187afd606ef2e24cfde0e66e3a0663ce65cd1372fdc32ab
SHA512

e0522301c8d2c156fe6157d7d1ca3a305078ed35bd3a2cf1131bea2a97246eaa8e00751cb4ad9c63e26d97149bdf5898da6d443d8c224735c81589462bd571ad
SSDEEP

49152:YfPM6fbpCpuj2TCOHIiRO06E6M5UqdJtunHnVnzm5EatXXzihWGNggHL/rF2tZVb:GpRY2IEfm

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4372	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2496	vlc.exe
5096	WINWORD.EXE
5096	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3876	rundll3.exe
1092	powershell.exe
1092	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	vlc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe
2496	vlc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2496	vlc.exe
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE
5096	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\rundll3.exe
"C:\Users\Admin\AppData\Local\Temp\rundll3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\AssertResume.mov"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DenySwitch.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:4372

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\EditShow.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD2422.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hgkaibi3.dj0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
313B

MD5
1122379611c5deb49136f7e22f4c53a8

SHA1
51ace13eedc524f10f63d6fcfc6553b9e01cbfc3

SHA256
c4941691a440327f209e6674d6e270d67fd6235840a353ca53e326e67d666795

SHA512
395eef6cac34f875df91519bb288220c77206fd296426f21227c90abe856acd5c3defe8b1ea9f4461c63e233b422884c2bd0dbb0313c7476a2da34ed8f79d6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
c7d020a7bcf156f884b5d2cdefdf0414

SHA1
95b6b5906ddc68a6efaa5a6422a985c95c9ea66c

SHA256
19c31552a444d445ae4b424c076156b7b09631a963d50a13a0b6b85e29f47f7e

SHA512
9e475d8954576fb5b15ee88a54891efd195112113667696f2b4d2a781f1bde722cf2adccddd4f71474e443260b298ab02996f79b5bfe9e2e2157f96eb5fac39a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
604b190737bbc649efd74c4873359390

SHA1
f35d2970a08596db845a9a78d0021b9d3994b07f

SHA256
bb6c731b907ce96f3858dd5bcd4acb54f3fb067a6fe88b88253acdeacaea5010

SHA512
871cc20f03a1aa81034647e59ea8a90a069f250f2d8da0b7c8800ce9c236ad6ef9a29911c7ad5c2b51484e760f8f715c6c9ae2dc8a54201736d81cd0395521eb

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Lx2496

Filesize
77B

MD5
cb405ea3112a04e1fbd91adad97d7bd8

SHA1
fd5cddb6d224eec39b37b563a32ab91c3e2e284e

SHA256
2a6573dc283155b0029d75c5fd8349074482a9adb8384bcc3aefc59da1447aa9

SHA512
ccbb1f8231d55f88276ef880289b30ade3b80c31bd103070f7ac7e34470541fafea180ec7df953dfd16e99bb79db661a53739be7efdbf501adb2c7f1af1e342c

Download Submit
memory/1092-65-0x000002CA9D710000-0x000002CA9D786000-memory.dmp

Filesize
472KB

Download
memory/1092-64-0x000002CA9D640000-0x000002CA9D684000-memory.dmp

Filesize
272KB

Download
memory/1092-59-0x000002CA9C6D0000-0x000002CA9C6F2000-memory.dmp

Filesize
136KB

Download
memory/2496-37-0x0000016CDF610000-0x0000016CE0E7F000-memory.dmp

Filesize
24.4MB

Download
memory/2496-22-0x00007FFC1EE40000-0x00007FFC1EE57000-memory.dmp

Filesize
92KB

Download
memory/2496-36-0x00007FFC0CFC0000-0x00007FFC0D01C000-memory.dmp

Filesize
368KB

Download
memory/2496-34-0x00007FFC0D6D0000-0x00007FFC0D6E1000-memory.dmp

Filesize
68KB

Download
memory/2496-30-0x00007FFC0D760000-0x00007FFC0D7A1000-memory.dmp

Filesize
260KB

Download
memory/2496-24-0x00007FFC0F630000-0x00007FFC0F647000-memory.dmp

Filesize
92KB

Download
memory/2496-33-0x00007FFC0D6F0000-0x00007FFC0D701000-memory.dmp

Filesize
68KB

Download
memory/2496-32-0x00007FFC0D710000-0x00007FFC0D728000-memory.dmp

Filesize
96KB

Download
memory/2496-31-0x00007FFC0D730000-0x00007FFC0D751000-memory.dmp

Filesize
132KB

Download
memory/2496-29-0x00007FFC0D7B0000-0x00007FFC0E860000-memory.dmp

Filesize
16.7MB

Download
memory/2496-20-0x00007FFC0F1D0000-0x00007FFC0F486000-memory.dmp

Filesize
2.7MB

Download
memory/2496-49-0x00007FFC11290000-0x00007FFC112C4000-memory.dmp

Filesize
208KB

Download
memory/2496-48-0x00007FF79A730000-0x00007FF79A828000-memory.dmp

Filesize
992KB

Download
memory/2496-50-0x00007FFC0F1D0000-0x00007FFC0F486000-memory.dmp

Filesize
2.7MB

Download
memory/2496-51-0x00007FFC0D7B0000-0x00007FFC0E860000-memory.dmp

Filesize
16.7MB

Download
memory/2496-35-0x00007FFC0D6B0000-0x00007FFC0D6C1000-memory.dmp

Filesize
68KB

Download
memory/2496-21-0x00007FFC206A0000-0x00007FFC206B8000-memory.dmp

Filesize
96KB

Download
memory/2496-28-0x00007FFC0E860000-0x00007FFC0EA6B000-memory.dmp

Filesize
2.0MB

Download
memory/2496-23-0x00007FFC16870000-0x00007FFC16881000-memory.dmp

Filesize
68KB

Download
memory/2496-19-0x00007FFC11290000-0x00007FFC112C4000-memory.dmp

Filesize
208KB

Download
memory/2496-18-0x00007FF79A730000-0x00007FF79A828000-memory.dmp

Filesize
992KB

Download
memory/2496-27-0x00007FFC0F5D0000-0x00007FFC0F5E1000-memory.dmp

Filesize
68KB

Download
memory/2496-26-0x00007FFC0F5F0000-0x00007FFC0F60D000-memory.dmp

Filesize
116KB

Download
memory/2496-25-0x00007FFC0F610000-0x00007FFC0F621000-memory.dmp

Filesize
68KB

Download
memory/5096-76-0x00007FFBEC1B0000-0x00007FFBEC1C0000-memory.dmp

Filesize
64KB

Download
memory/5096-77-0x00007FFBEC1B0000-0x00007FFBEC1C0000-memory.dmp

Filesize
64KB

Download
memory/5096-75-0x00007FFBEE4B0000-0x00007FFBEE4C0000-memory.dmp

Filesize
64KB

Download
memory/5096-74-0x00007FFBEE4B0000-0x00007FFBEE4C0000-memory.dmp

Filesize
64KB

Download
memory/5096-72-0x00007FFBEE4B0000-0x00007FFBEE4C0000-memory.dmp

Filesize
64KB

Download
memory/5096-73-0x00007FFBEE4B0000-0x00007FFBEE4C0000-memory.dmp

Filesize
64KB

Download
memory/5096-71-0x00007FFBEE4B0000-0x00007FFBEE4C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads