c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7v20210410
submitted
16-07-2021 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe
Size

1.7MB
MD5

7ed622a78bd8afc3c3891379febcf640
SHA1

43758603237366de8594e2eb353414148b09ddfc
SHA256

c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60
SHA512

013941579b00ae7f22a5f65df29992fae96637041e91856cc856168732214057d19a3412b6336ca6ca182cfa7a69c66958741769067f828ae75a240445bd5ec4

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
960	NewkeyLauncher.exe

Loads dropped DLL 3 IoCs

pid	Process
1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe
1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe
1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe
960	NewkeyLauncher.exe
960	NewkeyLauncher.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 960	1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe	31
PID 1048 wrote to memory of 960	1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe	31
PID 1048 wrote to memory of 960	1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe	31
PID 1048 wrote to memory of 960	1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe	31
PID 1048 wrote to memory of 960	1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe	31
PID 1048 wrote to memory of 960	1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe	31
PID 1048 wrote to memory of 960	1048	c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe	31

C:\Users\Admin\AppData\Local\Temp\c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe
"C:\Users\Admin\AppData\Local\Temp\c175e5125ab14f67e2e59301a0d6a6f2a770f4f5731bb6cb3bf37f6253ce4f60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\INDESK\NewkeyLauncher.exe
  "C:\INDESK\NewkeyLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-59-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download