1bd4fe07daaeb321a120cfbd1d02fdfefc2dae30b4dfa50adff0f85939d88792

Analysis

max time kernel
148s
max time network
194s
platform
windows7_x64
resource
win7v20210408
submitted
24-09-2021 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe
Size

362KB
MD5

d410cd964d3976d87860acc4f35a01c8
SHA1

8bd1bced5b6abc8e6802f1ddee328898d7dbdf65
SHA256

4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a
SHA512

394740c4ab964d3d6b667c54a54c8ae4411a4359a3ee2b68979486b38133c4e609e3554b01815aa9a27785d860adb3e50e84dc8dabf48a5150ac28e35bd13786

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

downloader.exeipfs.exeipfs.exe

pid process

1784 downloader.exe
1316 ipfs.exe
316 ipfs.exe

pid	process
1784	downloader.exe
1316	ipfs.exe
316	ipfs.exe

Loads dropped DLL 7 IoCs

Processes:

4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe

pid	process
2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe
2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe
2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe
2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe
2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe
2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe
2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exeipfs.exe

description	pid	process	target process
PID 2008 wrote to memory of 1784	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	downloader.exe
PID 2008 wrote to memory of 1784	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	downloader.exe
PID 2008 wrote to memory of 1784	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	downloader.exe
PID 2008 wrote to memory of 1784	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	downloader.exe
PID 2008 wrote to memory of 1316	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	ipfs.exe
PID 2008 wrote to memory of 1316	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	ipfs.exe
PID 2008 wrote to memory of 1316	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	ipfs.exe
PID 2008 wrote to memory of 1316	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	ipfs.exe
PID 2008 wrote to memory of 316	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	ipfs.exe
PID 2008 wrote to memory of 316	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	ipfs.exe
PID 2008 wrote to memory of 316	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	ipfs.exe
PID 2008 wrote to memory of 316	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	ipfs.exe
PID 2008 wrote to memory of 336	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	downloader.exe
PID 2008 wrote to memory of 336	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	downloader.exe
PID 2008 wrote to memory of 336	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	downloader.exe
PID 2008 wrote to memory of 336	2008	4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe	downloader.exe
PID 316 wrote to memory of 1816	316	ipfs.exe	route.exe
PID 316 wrote to memory of 1816	316	ipfs.exe	route.exe
PID 316 wrote to memory of 1816	316	ipfs.exe	route.exe
PID 316 wrote to memory of 1816	316	ipfs.exe	route.exe

C:\Users\Admin\AppData\Local\Temp\4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe
"C:\Users\Admin\AppData\Local\Temp\4a32ef4d911a823aaeac64664a8f9e28890bbd20da689580802e23d571d0f68a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\data\downloader.exe" preferences-ips
2⤵
- Executes dropped EXE
PID:1784

C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
"C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe" init
2⤵
- Executes dropped EXE
PID:1316

C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
"C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe" daemon
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\route.exe
route print 0.0.0.0
3⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\data\downloader.exe" preferences-yt
2⤵
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.ipfs\blocks\L5\CIQBIQXZ4NWWDXUSIYSCX7RE6EBXHMGENZNMUDEMGNKMGT2K6LLUL5Y.data
MD5
e5ceda8228b5f5cf03dc480911bc3d14

SHA1
491cf9c0d333847bb6d625fc69bd39745100baff

SHA256
1442f9e36d61de9246242bfe24f10373b0c46e5aca0c8c3354c34f4af2d745f7

SHA512
d22211a5c55a26b11fd287fa9532dd226ab65a5e72930c9f8802ed8a655607afdbe63aa476963e0581cc5a5e5dc2dc37ffe0f8d069a7fb46e40b7988671c8d42

Download Submit
C:\Users\Admin\.ipfs\blocks\N2\CIQDWKPBHXLJ3XVELRJZA2SYY7OGCSX6FRSIZS2VQQPVKOA2Z4VXN2I.data
MD5
d1c3b632bb05d58fe6c1ab061b38ac2a

SHA1
e93e8525510de01168a842f918a69e388c5dc8d2

SHA256
3b29e13dd69ddea45c53906a58c7dc614afe2c648ccb55841f55381acf2b76e9

SHA512
89ec053962a115d40a281f3a4cb3e74f01d7d3e125ca7eb5d16a1d19f9b256c0d70dfea064724d8de413825328997bfdc71655831f12eb9513de68215d9bea2c

Download Submit
C:\Users\Admin\.ipfs\blocks\PM\CIQKNNRB2NFYXUZDJ2UWNMSKYLGTKUYDRQTJCDI7JTUDFH6YOYNUPMA.data
MD5
70a5a06cfef7dfbd5149425eb369ad0f

SHA1
83c42e8bcbcba098ae15c17f8c0c112cd148765b

SHA256
a6b621d34b8bd3234ea966b24ac2cd3553038c26910d1f4ce8329fd8761b47b0

SHA512
0fdb30a4ae5cbca15ea07bf763211a68a9853ec756d8bf0eb5fc83534f2a30da10255782e57fa34dc40a9cd54275f2d179c4d5b0db109803d6a8a95ff19022e4

Download Submit
C:\Users\Admin\.ipfs\blocks\SHARDING
MD5
d713ff4594563267cab170596493dea3

SHA1
9ce016fb4dc32ee86c3f7e0d738679345bbe7d6a

SHA256
70fb6665a8db5fcc035e93750fe34b5a001a69bbde676ebcf64665c4a5876d58

SHA512
30d551e35b9c810d88179b8c81385f8c1a2bff12817337c9cf6f555158a9a8a39cc0b221431be83c21f5193dd5210740a141370ddfff0ba79f6d6a1125d39a4c

Download Submit
C:\Users\Admin\.ipfs\blocks\_README
MD5
35ad9a49218542e6a42b00ddfb944363

SHA1
d5029fa77bd02d4f4088413ff3d661fb89af0df9

SHA256
46d5d0498e45d09fd77030a4f47c059477c4967c55b6a31d4eef8c94d086dfad

SHA512
fc8e52c6d03209e7367f92048c06f57835a939d8bbac101f53ffe5c7b4a21ea3ca692278a15139f8549bdb2c55a38c95e915c9a4688a483183de125f7b61c9cb

Download Submit
C:\Users\Admin\.ipfs\blocks\diskUsage.cache
MD5
4b5a4d351b793b2237e78a341c9c1356

SHA1
31438deca1d9665da1deeb4007125883a1d89a2b

SHA256
d5bbae038bdd4df108b65b09626c7ecd7c4249a26ff48cba8ff746eb249e2c99

SHA512
f1eaebe4af69efe120a70ea4aa20a8d75140424d84e44c56aaee9c1d5b2d44a7571f2efcbc3aac9a0b0a0d5ea50e7d1530414c89af8d959274a8e77bb72570c5

Download Submit
C:\Users\Admin\.ipfs\config
MD5
b6668d4e387d5bdf26d7659c7b18806b

SHA1
d410ab0d26bd36789ca7575460711fa350d5d0cb

SHA256
3c73f57736408148d8e6c73e0d7304f0a9a67a9d42296674628264f80dec2808

SHA512
823f85ccc97b0869ca13c1558cd20ebcc2834b3b0760a9e1e5bdc9f796cf8667da7aa75c375220cbfded59764e496e152f7aa5775251d6c2340ceacb5c46006f

Download Submit
C:\Users\Admin\.ipfs\datastore\000002.ldb
MD5
867bab323a6b0356d762621e7cee4ea6

SHA1
3fcac7f7dfbf565a340ad4c3550eb577033745e1

SHA256
90c8afbad2aa860e1638c0bc341eb8712bb1f7c9452ffb75bac83d7f9fbd91e0

SHA512
0273a7a388757b6fda2630cf84edc9de680d61b17dea6f516b8f16da54d4ac43e318ad5aa2d97caf5a391463adb26eca55f953c8953c301893883a4eb3d4bc68

Download Submit
C:\Users\Admin\.ipfs\datastore\000003.log
MD5
0eb5bedfaa6862f376eaadaae1fad043

SHA1
8ede98ce8b60056e2c6c89702211999530992d14

SHA256
1660c1e98fa80d0d210dd363e7b32d93755d7168d5ddeadfb874a34f847bf6aa

SHA512
16d86923a57bd3c0c686d9c1d06aa4603f30c15486645cd4cfb7953f8366ca49616c42c22b8f79fe6b80deb02c6ab6febb4aeb4c4c730a1d827944b874f2db1a

Download Submit
C:\Users\Admin\.ipfs\datastore\CURRENT
MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\.ipfs\datastore\CURRENT.bak
MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\.ipfs\datastore\LOG
MD5
710f5a369c8fac4834e6f2ffa57484ca

SHA1
de6ddc62a8d29357ed43d26f60358856b81e483b

SHA256
7f6a28417ed3e9190fb6e0030a36c6c7ed43ac1f2aeb910eb45feeae0719f2dc

SHA512
c6e01d9544a9721b66fab2321374cf710bb592db777d1b8bd526cafc3b3967250b903e0b525ecfab170ab4756bce1c9308b4afff22a1f88dbb3e1d746533d170

Download Submit
C:\Users\Admin\.ipfs\datastore\MANIFEST-000004
MD5
2db88d28d0931eebf5e622cb716c1b39

SHA1
ea9f9183dce7f1a555556a0d7ba1f596e6a7410c

SHA256
f6cf2708d0394528e6171eecc3bce50fdd4ced44a41f0a0e48af21b0b9daf123

SHA512
d34e97d61e714cf99dce6ad97e335a3020b2b163910c753cabbf487f5b8e8f770ff71ff3c7b3fd0177de200bd63aa89ef7bf2a670a4461ef9b2d94e6192308fb

Download Submit
C:\Users\Admin\.ipfs\datastore_spec
MD5
9a9e40d83ab16950daa61f5ab536b77c

SHA1
f9f5fa0ab6f17688d6445a0502a81f093fb08d6c

SHA256
cb1f1e3c29472474de76bb5210dcd3f2500e91c8d88e3a709d519a754ee2eb6e

SHA512
6115c36d3112780c723bb9b1ddcd7ba255adcb8d905941fa3023004276c8a677d8bec4c5db24f873e054cc951cd8fdb9d235e2947adfa6aa9e9ed735e86bb42a

Download Submit
C:\Users\Admin\.ipfs\version
MD5
84bc3da1b3e33a18e8d5e1bdd7a18d7a

SHA1
d3964f9dad9f60363c81b688324d95b4ec7c8038

SHA256
10159baf262b43a92d95db59dae1f72c645127301661e0a3ce4e38b295a97c58

SHA512
61561e09d4cd2834f3714030c96f29d6aa16e7ab35051c91adbfdf3ee90bad5c2cb685d68e576325d16f521808ad560fa67ca0514905642ea3419e974d5e5893

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
2c4c72c31568e6a599de2a0e5dd1cc1e

SHA1
47ba3fdbf2e77899bc2a863a2c26ae60e485e4ba

SHA256
f9d4297b3e63173a27cd22aa077ff9af519813ad066b8178ffd74b81fe369f67

SHA512
cf4f29613d6a16befac57dbfb216e91c75cbe3b16c0efe244231c826f50c9419f6d06418b7253adff7a5d33c930dce6b7dd8ac3a455e4d2807d70137cf849ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\go-ipfs_v0.4.21_windows-386.zip
MD5
0623404982399341c3e8f62a5ad4dc36

SHA1
8430fbd30df64ba5c90ee3fb1774a1ed65f97cb5

SHA256
07731d13dfc46c023eeef7c5aedba954932f38824a1512f9f428eaf9fa89599b

SHA512
2be00aea7ecfc8bee014de820af4db1db706156c1c911217cec2867117de707a4f5ca4a53998389703be55271f30c53c29e33649db30b1490d47ea8f28f8052d

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\preferences-ips
MD5
9c92c29702d2a721b7e597a9399608d0

SHA1
34001260827b6023f1703185cbf51a39182bdd59

SHA256
89a9101c104bcc0b9d5875193438ebf1a16e4e41e4ab02943a7ff1a4c088ec5d

SHA512
2c5e93df10f858cb576985c4c183da92dacfd071b2d9397b672ac5c2a81454dd0cafa364887e450dcc69372fb8872fdd3298051553f1f7d54a91919f0d051860

Download Submit
C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
MD5
0f5fc5c4bb5b72464a54d6e36f1a1815

SHA1
b04a446d98bd9428f5a8a1eea742d0437631494f

SHA256
db1fdb281050c07b243d0ec79c25b3bab550cad64f140dedbb1f307aee1fec5b

SHA512
1a1bf10424e241cefca698308fc27414e81b09da395b6fdd9320697a8a6af651e910d46b00a325afcd9534fe9f339ece4f4928e7ee5f317e791954b2330552ca

Download Submit
C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
MD5
0f5fc5c4bb5b72464a54d6e36f1a1815

SHA1
b04a446d98bd9428f5a8a1eea742d0437631494f

SHA256
db1fdb281050c07b243d0ec79c25b3bab550cad64f140dedbb1f307aee1fec5b

SHA512
1a1bf10424e241cefca698308fc27414e81b09da395b6fdd9320697a8a6af651e910d46b00a325afcd9534fe9f339ece4f4928e7ee5f317e791954b2330552ca

Download Submit
\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
2c4c72c31568e6a599de2a0e5dd1cc1e

SHA1
47ba3fdbf2e77899bc2a863a2c26ae60e485e4ba

SHA256
f9d4297b3e63173a27cd22aa077ff9af519813ad066b8178ffd74b81fe369f67

SHA512
cf4f29613d6a16befac57dbfb216e91c75cbe3b16c0efe244231c826f50c9419f6d06418b7253adff7a5d33c930dce6b7dd8ac3a455e4d2807d70137cf849ca8

Download Submit
\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
2c4c72c31568e6a599de2a0e5dd1cc1e

SHA1
47ba3fdbf2e77899bc2a863a2c26ae60e485e4ba

SHA256
f9d4297b3e63173a27cd22aa077ff9af519813ad066b8178ffd74b81fe369f67

SHA512
cf4f29613d6a16befac57dbfb216e91c75cbe3b16c0efe244231c826f50c9419f6d06418b7253adff7a5d33c930dce6b7dd8ac3a455e4d2807d70137cf849ca8

Download Submit
\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
2c4c72c31568e6a599de2a0e5dd1cc1e

SHA1
47ba3fdbf2e77899bc2a863a2c26ae60e485e4ba

SHA256
f9d4297b3e63173a27cd22aa077ff9af519813ad066b8178ffd74b81fe369f67

SHA512
cf4f29613d6a16befac57dbfb216e91c75cbe3b16c0efe244231c826f50c9419f6d06418b7253adff7a5d33c930dce6b7dd8ac3a455e4d2807d70137cf849ca8

Download Submit
\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
2c4c72c31568e6a599de2a0e5dd1cc1e

SHA1
47ba3fdbf2e77899bc2a863a2c26ae60e485e4ba

SHA256
f9d4297b3e63173a27cd22aa077ff9af519813ad066b8178ffd74b81fe369f67

SHA512
cf4f29613d6a16befac57dbfb216e91c75cbe3b16c0efe244231c826f50c9419f6d06418b7253adff7a5d33c930dce6b7dd8ac3a455e4d2807d70137cf849ca8

Download Submit
\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
MD5
0f5fc5c4bb5b72464a54d6e36f1a1815

SHA1
b04a446d98bd9428f5a8a1eea742d0437631494f

SHA256
db1fdb281050c07b243d0ec79c25b3bab550cad64f140dedbb1f307aee1fec5b

SHA512
1a1bf10424e241cefca698308fc27414e81b09da395b6fdd9320697a8a6af651e910d46b00a325afcd9534fe9f339ece4f4928e7ee5f317e791954b2330552ca

Download Submit
\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
MD5
0f5fc5c4bb5b72464a54d6e36f1a1815

SHA1
b04a446d98bd9428f5a8a1eea742d0437631494f

SHA256
db1fdb281050c07b243d0ec79c25b3bab550cad64f140dedbb1f307aee1fec5b

SHA512
1a1bf10424e241cefca698308fc27414e81b09da395b6fdd9320697a8a6af651e910d46b00a325afcd9534fe9f339ece4f4928e7ee5f317e791954b2330552ca

Download Submit
\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
MD5
0f5fc5c4bb5b72464a54d6e36f1a1815

SHA1
b04a446d98bd9428f5a8a1eea742d0437631494f

SHA256
db1fdb281050c07b243d0ec79c25b3bab550cad64f140dedbb1f307aee1fec5b

SHA512
1a1bf10424e241cefca698308fc27414e81b09da395b6fdd9320697a8a6af651e910d46b00a325afcd9534fe9f339ece4f4928e7ee5f317e791954b2330552ca

Download Submit
memory/316-71-0x0000000000000000-mapping.dmp

Download
memory/336-75-0x0000000000000000-mapping.dmp

Download
memory/1316-68-0x0000000000000000-mapping.dmp

Download
memory/1784-62-0x0000000000000000-mapping.dmp

Download
memory/1816-90-0x0000000000000000-mapping.dmp

Download
memory/2008-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download