1bd4fe07daaeb321a120cfbd1d02fdfefc2dae30b4dfa50adff0f85939d88792

Analysis

max time kernel
140s
max time network
132s
platform
windows7_x64
resource
win7-en-20210920
submitted
24-09-2021 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe
Size

231KB
MD5

6f6b0600d2fca1a17cc0e61ee301a9e6
SHA1

99694f7203ecde238810f545388e8ab38c690e9d
SHA256

15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa
SHA512

967002cd9f11d61bdacd1c46b9fc5b8150d660160345c97bbdd7547090aa2582a0a11041632e148e0137615756f60c3a940daf95bd86a9a59da275f0ad686389

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

downloader.exe

pid process

1604 downloader.exe

pid	process
1604	downloader.exe

Loads dropped DLL 2 IoCs

Processes:

15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe

pid	process
1468	15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe
1468	15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe

description	pid	process	target process
PID 1468 wrote to memory of 1604	1468	15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe	downloader.exe
PID 1468 wrote to memory of 1604	1468	15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe	downloader.exe
PID 1468 wrote to memory of 1604	1468	15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe	downloader.exe
PID 1468 wrote to memory of 1604	1468	15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe	downloader.exe

C:\Users\Admin\AppData\Local\Temp\15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe
"C:\Users\Admin\AppData\Local\Temp\15b40c27e6cf4c0912a9bd1208ba4f08ff11c2d3f7ece28835dd56c96f666cfa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\data\downloader.exe" preferences-ips
2⤵
- Executes dropped EXE
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
e2af3bf792917ae2f91160f2b613252c

SHA1
9c6fd162d8a7b98533c8f97d1043ef8f8b3cdfa3

SHA256
c1685018a96fe3068ebad144898a0d8e7282820f45762310ca21f69f38197b4f

SHA512
3327caf66f8c9b544a4a19581ea274b1996f77e00f2f7abe6743ccac2c14aa0327c56a8d9551fedafd6656155a8c9b1a975466da6d019dcd1b1ccedc750f62e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\preferences-ips
MD5
9c92c29702d2a721b7e597a9399608d0

SHA1
34001260827b6023f1703185cbf51a39182bdd59

SHA256
89a9101c104bcc0b9d5875193438ebf1a16e4e41e4ab02943a7ff1a4c088ec5d

SHA512
2c5e93df10f858cb576985c4c183da92dacfd071b2d9397b672ac5c2a81454dd0cafa364887e450dcc69372fb8872fdd3298051553f1f7d54a91919f0d051860

Download Submit
\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
e2af3bf792917ae2f91160f2b613252c

SHA1
9c6fd162d8a7b98533c8f97d1043ef8f8b3cdfa3

SHA256
c1685018a96fe3068ebad144898a0d8e7282820f45762310ca21f69f38197b4f

SHA512
3327caf66f8c9b544a4a19581ea274b1996f77e00f2f7abe6743ccac2c14aa0327c56a8d9551fedafd6656155a8c9b1a975466da6d019dcd1b1ccedc750f62e4

Download Submit
\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
e2af3bf792917ae2f91160f2b613252c

SHA1
9c6fd162d8a7b98533c8f97d1043ef8f8b3cdfa3

SHA256
c1685018a96fe3068ebad144898a0d8e7282820f45762310ca21f69f38197b4f

SHA512
3327caf66f8c9b544a4a19581ea274b1996f77e00f2f7abe6743ccac2c14aa0327c56a8d9551fedafd6656155a8c9b1a975466da6d019dcd1b1ccedc750f62e4

Download Submit
memory/1468-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1604-57-0x0000000000000000-mapping.dmp

Download