46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
53s
max time network
17s
platform
windows7_x64
resource
win7
submitted
11-08-2020 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/4ea45460c3e7c3d8486d3f7bec90c613.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

PCVersion.exe

pid process

1328 PCVersion.exe

pid	process
1328	PCVersion.exe

Loads dropped DLL 10 IoCs

Processes:

4ea45460c3e7c3d8486d3f7bec90c613.exePCVersion.exe

pid	process
1108	4ea45460c3e7c3d8486d3f7bec90c613.exe
1328	PCVersion.exe
1328	PCVersion.exe
1328	PCVersion.exe
1328	PCVersion.exe
1328	PCVersion.exe
1328	PCVersion.exe
1328	PCVersion.exe
1328	PCVersion.exe
1328	PCVersion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PCVersion.exe

pid process

1328 PCVersion.exe
1328 PCVersion.exe

pid	process
1328	PCVersion.exe
1328	PCVersion.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

4ea45460c3e7c3d8486d3f7bec90c613.exe

description	pid	process	target process
PID 1108 wrote to memory of 1328	1108	4ea45460c3e7c3d8486d3f7bec90c613.exe	PCVersion.exe
PID 1108 wrote to memory of 1328	1108	4ea45460c3e7c3d8486d3f7bec90c613.exe	PCVersion.exe
PID 1108 wrote to memory of 1328	1108	4ea45460c3e7c3d8486d3f7bec90c613.exe	PCVersion.exe
PID 1108 wrote to memory of 1328	1108	4ea45460c3e7c3d8486d3f7bec90c613.exe	PCVersion.exe
PID 1108 wrote to memory of 1328	1108	4ea45460c3e7c3d8486d3f7bec90c613.exe	PCVersion.exe
PID 1108 wrote to memory of 1328	1108	4ea45460c3e7c3d8486d3f7bec90c613.exe	PCVersion.exe
PID 1108 wrote to memory of 1328	1108	4ea45460c3e7c3d8486d3f7bec90c613.exe	PCVersion.exe

C:\Users\Admin\AppData\Local\Temp\foo\4ea45460c3e7c3d8486d3f7bec90c613.exe
"C:\Users\Admin\AppData\Local\Temp\foo\4ea45460c3e7c3d8486d3f7bec90c613.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersion.exe
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersion.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1328

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\HttpDownload.dll
MD5
fde294dab93e890a58e687f8f3233f3f

SHA1
080d907d8f19bac13a4ab6f08c4967d70a90abec

SHA256
2e38a0ebaff5c09fbf8575ddddb676863fd0680a3cceddcd8c650b2ab50ae73e

SHA512
647fbb50938f1ad385e5fb915ed9aab81787a82dbef76d561dbf332e275b901dedcd98a467d82dc8fcbf56c4ea0c8c4815affa93e5383170a9af396974f4fa69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\Image\background.png
MD5
ae08c8b1e04eb87ccdb404248ba840fb

SHA1
63df80fe4fd6ef361df6ae376cf4f98a3cac5c25

SHA256
3dec82d7fb6571a95ff6bf7eddd5c76894e1a150c0bfdce3cc4444ff5d93f78f

SHA512
47f8f990828e83c8c6a546d594e6a5a425babcc629a90810ed9754eede1f70b2353107b146874443e7352abf2ac8fdbfaf14fcc3f2958fe14adb6c19d20b3bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\MSVCP100.dll
MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\MSVCR100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersion.exe
MD5
66296905d7c7039d64c43102b67d1bdf

SHA1
d41a5d884d6ecd03e05f53a24994c85cb84c207c

SHA256
d94fde23f94cea11583414e28fbe4e50883d1089c2a7e93ae5cdaa1023bcaa86

SHA512
2ddb5f71098bd79ee78c4cd72b4aeb985794217c0a699d1e98759ebdf5994e64b330d64d88104bf62a9f3ca729f45b20bf7c4e81a5fda020eab5fc01e97ca3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersion.exe
MD5
66296905d7c7039d64c43102b67d1bdf

SHA1
d41a5d884d6ecd03e05f53a24994c85cb84c207c

SHA256
d94fde23f94cea11583414e28fbe4e50883d1089c2a7e93ae5cdaa1023bcaa86

SHA512
2ddb5f71098bd79ee78c4cd72b4aeb985794217c0a699d1e98759ebdf5994e64b330d64d88104bf62a9f3ca729f45b20bf7c4e81a5fda020eab5fc01e97ca3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersionStat.dll
MD5
f0885fef8460408c3f728d1023c1d54b

SHA1
99af959ff68a98e01bbd234efffa6c602318c111

SHA256
4c78452fc09dc8f14df1a5ba8f443843fd136acefd157695218b11a45ed14da0

SHA512
2cb6225938b52ec2fd71317a2c27d0a3b32110a4a8107bf9d66087267568778f1bc4b31e28acaeb1f2645574d9340971fedfa9939c655520b511d5aa943ea6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\UI.dll
MD5
ad2fa787e724138c6acd847eb0716336

SHA1
59a4fc77d2e0871706b6e5f49b84037e70413989

SHA256
b6afd39680ff615eb233907d92f2385816a6437d23cd74dc2354436828d43314

SHA512
c0b7f970a4a5e820eb369588b6a234071a7c6e04dd71a72fb71f598328e15127cb0cf7eeac3aed3b7140fd5ff5ef66b0a04e62ba84a27597ea513542ad6620a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\apps\AppInfo.dat
MD5
179844a0f50cdb4da0870bac1a47db9b

SHA1
145b1aa80f88e0e281c040b35ea1bf652f5bba85

SHA256
e7abe61b3841f86350b5c7dd0a1f63fb1df1664c93f5094ee7e3d18aed69ddc6

SHA512
3ac545d143e8dca3acb641abe14c4fe9112975ec2055b92699c1c50ff955d4e5c8034fdb135ffebdf44d508d1e258ac213d60aede79010c45be3df52cd2ac582

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\apps\icon.png
MD5
dbb26e0cee892ad1a97c28668aee4149

SHA1
d315b2c28c1c27c0933ad8859fd206865d1d34b1

SHA256
c7d0f793b1c629fbd4dffe7ac86901b14f48c2034bcac9a4ee2e8416c75335fc

SHA512
f7d0fe47e9addde43f50d0834712ce40ec5a637f33e26bf1da3102e7a9e26b0d090c3d99f001d0c92b2fcbaa9f3989f927236638bb00f40eb9b392280e3d9269

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\mfc100u.dll
MD5
f841f32ad816dbf130f10d86fab99b1a

SHA1
0f8b90814b33275cf39f95e769927497da9460bf

SHA256
7a4cfbce1eb48d4f8988212c2e338d7781b9894ef0f525e871c22bb730a74f3e

SHA512
6222f16722a61ee6950b6fbcbe46c2b08e2394ce3dd32d34656faf2719e190e66b4e59617c83f117ad3793b1292a107f275087b037cf1b6e4d9819323748079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\union.dll
MD5
e9a0ff7400cc5024c7a7a667ba525818

SHA1
96589de5bf840398e970978ec8f4df0a82f2eabe

SHA256
2f2ace00fc71af33debec3ff098d57d7826782a1e46e9d6a6dabb9a842437f2b

SHA512
b2b91f026da178d20e02d386d73ed0f989c8dc79d1aeb27a42adaaa0c36ef4f1267e3a2e4a03aaa3a304961f016fc292dae5a866a00a690c7221a684c48fccf8

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\HttpDownload.dll
MD5
fde294dab93e890a58e687f8f3233f3f

SHA1
080d907d8f19bac13a4ab6f08c4967d70a90abec

SHA256
2e38a0ebaff5c09fbf8575ddddb676863fd0680a3cceddcd8c650b2ab50ae73e

SHA512
647fbb50938f1ad385e5fb915ed9aab81787a82dbef76d561dbf332e275b901dedcd98a467d82dc8fcbf56c4ea0c8c4815affa93e5383170a9af396974f4fa69

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersion.exe
MD5
66296905d7c7039d64c43102b67d1bdf

SHA1
d41a5d884d6ecd03e05f53a24994c85cb84c207c

SHA256
d94fde23f94cea11583414e28fbe4e50883d1089c2a7e93ae5cdaa1023bcaa86

SHA512
2ddb5f71098bd79ee78c4cd72b4aeb985794217c0a699d1e98759ebdf5994e64b330d64d88104bf62a9f3ca729f45b20bf7c4e81a5fda020eab5fc01e97ca3a6

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersion.exe
MD5
66296905d7c7039d64c43102b67d1bdf

SHA1
d41a5d884d6ecd03e05f53a24994c85cb84c207c

SHA256
d94fde23f94cea11583414e28fbe4e50883d1089c2a7e93ae5cdaa1023bcaa86

SHA512
2ddb5f71098bd79ee78c4cd72b4aeb985794217c0a699d1e98759ebdf5994e64b330d64d88104bf62a9f3ca729f45b20bf7c4e81a5fda020eab5fc01e97ca3a6

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersion.exe
MD5
66296905d7c7039d64c43102b67d1bdf

SHA1
d41a5d884d6ecd03e05f53a24994c85cb84c207c

SHA256
d94fde23f94cea11583414e28fbe4e50883d1089c2a7e93ae5cdaa1023bcaa86

SHA512
2ddb5f71098bd79ee78c4cd72b4aeb985794217c0a699d1e98759ebdf5994e64b330d64d88104bf62a9f3ca729f45b20bf7c4e81a5fda020eab5fc01e97ca3a6

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\PCVersionStat.dll
MD5
f0885fef8460408c3f728d1023c1d54b

SHA1
99af959ff68a98e01bbd234efffa6c602318c111

SHA256
4c78452fc09dc8f14df1a5ba8f443843fd136acefd157695218b11a45ed14da0

SHA512
2cb6225938b52ec2fd71317a2c27d0a3b32110a4a8107bf9d66087267568778f1bc4b31e28acaeb1f2645574d9340971fedfa9939c655520b511d5aa943ea6e2

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\UI.dll
MD5
ad2fa787e724138c6acd847eb0716336

SHA1
59a4fc77d2e0871706b6e5f49b84037e70413989

SHA256
b6afd39680ff615eb233907d92f2385816a6437d23cd74dc2354436828d43314

SHA512
c0b7f970a4a5e820eb369588b6a234071a7c6e04dd71a72fb71f598328e15127cb0cf7eeac3aed3b7140fd5ff5ef66b0a04e62ba84a27597ea513542ad6620a1

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\mfc100u.dll
MD5
f841f32ad816dbf130f10d86fab99b1a

SHA1
0f8b90814b33275cf39f95e769927497da9460bf

SHA256
7a4cfbce1eb48d4f8988212c2e338d7781b9894ef0f525e871c22bb730a74f3e

SHA512
6222f16722a61ee6950b6fbcbe46c2b08e2394ce3dd32d34656faf2719e190e66b4e59617c83f117ad3793b1292a107f275087b037cf1b6e4d9819323748079a

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\msvcp100.dll
MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\msvcr100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\AppData\Local\Temp\ÐÇ×ùÔËÊÆ\union.dll
MD5
e9a0ff7400cc5024c7a7a667ba525818

SHA1
96589de5bf840398e970978ec8f4df0a82f2eabe

SHA256
2f2ace00fc71af33debec3ff098d57d7826782a1e46e9d6a6dabb9a842437f2b

SHA512
b2b91f026da178d20e02d386d73ed0f989c8dc79d1aeb27a42adaaa0c36ef4f1267e3a2e4a03aaa3a304961f016fc292dae5a866a00a690c7221a684c48fccf8

Download Submit
memory/1328-1-0x0000000000000000-mapping.dmp

Download