095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2

Resubmissions

11/06/2021, 09:25

210611-4ldscwwnln 10

11/06/2021, 09:21

210611-h2e98z629s 8

Analysis

max time kernel
87s
max time network
95s
platform
windows7_x64
resource
win7v20210410
submitted
11/06/2021, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
Size

304KB
MD5

b38db96edbdac1684268b98c8dcffce7
SHA1

88d410bfa5810af0b3c6add7b4911f7a57ea7213
SHA256

095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2
SHA512

bee65541a8f563d793e6be861ad7e92183c6cfd36e14e558a9c01267d26c759cbc0871bfd6b66c692dfd2161df42705e9db2d9de2ad45d66471b36a4426eaaa3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1296	1073r.exe
1316	pbuSKfHcSlan.exe

Loads dropped DLL 4 IoCs

pid	Process
1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\S:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\R:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\K:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\G:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\F:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\X:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\V:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\M:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\J:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Y:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\T:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Q:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\P:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\O:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\I:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\Z:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\U:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\N:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\L:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\H:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened (read-only)	\??\E:	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.html	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1296	1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	29
PID 1700 wrote to memory of 1296	1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	29
PID 1700 wrote to memory of 1296	1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	29
PID 1700 wrote to memory of 1296	1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	29
PID 1700 wrote to memory of 1316	1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	30
PID 1700 wrote to memory of 1316	1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	30
PID 1700 wrote to memory of 1316	1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	30
PID 1700 wrote to memory of 1316	1700	095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe	30

C:\Users\Admin\AppData\Local\Temp\095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe
"C:\Users\Admin\AppData\Local\Temp\095cae47da0044f82f4bcc9a5cdf4bc099f3eccd2497b81afcd66c53286bc5f2.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\pbuSKfHcSlan.exe
  "C:\Users\Admin\AppData\Local\Temp\pbuSKfHcSlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1840
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-72-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/1316-74-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/1700-61-0x0000000035000000-0x0000000035054000-memory.dmp

Filesize
336KB

Download
memory/1700-60-0x0000000000220000-0x0000000000246000-memory.dmp

Filesize
152KB

Download
memory/1700-62-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download