929adcf731e730ee1251eeef8513fd774b1357c1c3e1da4d287722ed778434f9

Analysis

max time kernel
134s
max time network
123s
platform
windows7_x64
resource
win7-en-20211014
submitted
20-10-2021 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

San11 Tc/San11.exe
Size

5.9MB
MD5

07d46200af50166f44ed7208d3c65f67
SHA1

d9675b890bd29ff5274358083be77e9e361c7820
SHA256

bb0e70d0df97abb44faef927f36c2afe06bba148168aa39cc7dcf13b1ab9f651
SHA512

2c0757f14cea6bb7874ba82568ed4fbac61f07231924e2f9e6d26bce7df781e461bc3d9767fce445a701f43baed388929720597ac39f2c36e833dee57bff17c8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

~e5.0001

pid process

1252 ~e5.0001
Loads dropped DLL 6 IoCs

Processes:

San11.exe~e5.0001

pid process

1704 San11.exe
1704 San11.exe
1252 ~e5.0001
1704 San11.exe
1704 San11.exe
1704 San11.exe

pid	process
1252	~e5.0001

pid	process
1704	San11.exe
1704	San11.exe
1252	~e5.0001
1704	San11.exe
1704	San11.exe
1704	San11.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

San11.exe

description	ioc	process
File opened (read-only)	\??\B:	San11.exe
File opened (read-only)	\??\F:	San11.exe
File opened (read-only)	\??\J:	San11.exe
File opened (read-only)	\??\N:	San11.exe
File opened (read-only)	\??\Q:	San11.exe
File opened (read-only)	\??\W:	San11.exe
File opened (read-only)	\??\Y:	San11.exe
File opened (read-only)	\??\E:	San11.exe
File opened (read-only)	\??\K:	San11.exe
File opened (read-only)	\??\P:	San11.exe
File opened (read-only)	\??\S:	San11.exe
File opened (read-only)	\??\X:	San11.exe
File opened (read-only)	\??\Z:	San11.exe
File opened (read-only)	\??\A:	San11.exe
File opened (read-only)	\??\G:	San11.exe
File opened (read-only)	\??\U:	San11.exe
File opened (read-only)	\??\V:	San11.exe
File opened (read-only)	\??\H:	San11.exe
File opened (read-only)	\??\I:	San11.exe
File opened (read-only)	\??\L:	San11.exe
File opened (read-only)	\??\M:	San11.exe
File opened (read-only)	\??\O:	San11.exe
File opened (read-only)	\??\R:	San11.exe
File opened (read-only)	\??\T:	San11.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

San11.exe

description	pid	process	target process
PID 1704 wrote to memory of 1252	1704	San11.exe	~e5.0001
PID 1704 wrote to memory of 1252	1704	San11.exe	~e5.0001
PID 1704 wrote to memory of 1252	1704	San11.exe	~e5.0001
PID 1704 wrote to memory of 1252	1704	San11.exe	~e5.0001

C:\Users\Admin\AppData\Local\Temp\San11 Tc\San11.exe
"C:\Users\Admin\AppData\Local\Temp\San11 Tc\San11.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\~e5.0001
"C:\Users\Admin\AppData\Local\Temp\~e5.0001" 1704 "C:\Users\Admin\AppData\Local\Temp\""~e5.0001.dir.0000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~e5.0001
MD5
b9bcaeca2d337cf96c490c625884e9af

SHA1
2d82d74410c3748a2d4634800cd6a9b9d5beec81

SHA256
b3b7f9564e01ac379cb1e2bba1c7a5a1ae1627548bbad4c6a0844ca6c5c827aa

SHA512
a091e3ff60d9a5fab44234c859626ee623dfe4b199c37704bd879f027ff6f8501e2b384fd0ba62319479cab92e021d5067e7ab583c505bb0d358a45692e3a981

Download Submit
C:\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\PfdRun.pfd
MD5
0261b8f07012ab04b64daf42ea8bc092

SHA1
be1ba2c62a713b3a4a8d36408f8abcb2139378f3

SHA256
a3501267ef5112c0afb65fdf1d32ae4731aeaf29222ab8f2d4b450d06845efaf

SHA512
5b520571a221ef9c56fc938bed4c1f33db70cc09be41e87fe5479a1aaf0c9c72d12853513b3110d7bf7a5b5178eb0c46f2bd4f3036599f0ea753a936ef46e3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\~df394b.tmp
MD5
336e3ef3db0cf3a6f4f038f92f4d2e62

SHA1
e0148a28907fc2f5a28dd0ab02634352d64a5f0e

SHA256
98aa5b28d050b6dcd75623a3f162aea10b5b7213e2080777d2742e96a31e3a60

SHA512
aa61636cc61c8ac298f3009b0d9118a5ba91553618535226fef01b6506a11d2e4a6d09fa4add9ba7c2e2a7b30c04b6c7d4882bd24d8f4767dfc721d6399197c5

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001
MD5
b9bcaeca2d337cf96c490c625884e9af

SHA1
2d82d74410c3748a2d4634800cd6a9b9d5beec81

SHA256
b3b7f9564e01ac379cb1e2bba1c7a5a1ae1627548bbad4c6a0844ca6c5c827aa

SHA512
a091e3ff60d9a5fab44234c859626ee623dfe4b199c37704bd879f027ff6f8501e2b384fd0ba62319479cab92e021d5067e7ab583c505bb0d358a45692e3a981

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001
MD5
b9bcaeca2d337cf96c490c625884e9af

SHA1
2d82d74410c3748a2d4634800cd6a9b9d5beec81

SHA256
b3b7f9564e01ac379cb1e2bba1c7a5a1ae1627548bbad4c6a0844ca6c5c827aa

SHA512
a091e3ff60d9a5fab44234c859626ee623dfe4b199c37704bd879f027ff6f8501e2b384fd0ba62319479cab92e021d5067e7ab583c505bb0d358a45692e3a981

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\DrvMgt.dll
MD5
9b188e6f9fac4b8fb8d536015589df37

SHA1
a5247ec0ec50b8f470c93bf23e3f2514c402d5ad

SHA256
538471b7ebe7db84153d4ece0012167805333152c2bf1f83c08da28945e6d85b

SHA512
a6e2963bd09b0d39f7ca929ae2eba1639e6301a93755bd83f1c853f55c658936585f6171d0376ee4022a84c9be5383f4522cfc8277b51502147d88664c7063dd

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\~de13e4.tmp
MD5
df52aa569acf229c80d1beef0566ef5c

SHA1
7107142a3a88212666845f2da78a694ca3e7594d

SHA256
ec4cc717e32f1f1a07ae07805b52963ae960565dbddf2eb9d333b2fec0116bcc

SHA512
878fc1f4c2ec23d9a5d259b0fc5869cb66a55008ea5ed4efead8d46c9ba6986b760644b40a50f00fcb72fe045d5c2bd2e95753d46296521797696e097684aa14

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\~df394b.tmp
MD5
336e3ef3db0cf3a6f4f038f92f4d2e62

SHA1
e0148a28907fc2f5a28dd0ab02634352d64a5f0e

SHA256
98aa5b28d050b6dcd75623a3f162aea10b5b7213e2080777d2742e96a31e3a60

SHA512
aa61636cc61c8ac298f3009b0d9118a5ba91553618535226fef01b6506a11d2e4a6d09fa4add9ba7c2e2a7b30c04b6c7d4882bd24d8f4767dfc721d6399197c5

Download Submit
\Users\Admin\AppData\Local\Temp\~e5.0001.dir.0000\~df394b.tmp
MD5
336e3ef3db0cf3a6f4f038f92f4d2e62

SHA1
e0148a28907fc2f5a28dd0ab02634352d64a5f0e

SHA256
98aa5b28d050b6dcd75623a3f162aea10b5b7213e2080777d2742e96a31e3a60

SHA512
aa61636cc61c8ac298f3009b0d9118a5ba91553618535226fef01b6506a11d2e4a6d09fa4add9ba7c2e2a7b30c04b6c7d4882bd24d8f4767dfc721d6399197c5

Download Submit
memory/1252-58-0x0000000000000000-mapping.dmp

Download
memory/1704-490-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-468-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-71-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-74-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-77-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-80-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-83-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-86-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-89-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-92-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-95-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-502-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-101-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-104-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-107-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-110-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-113-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-116-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-119-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-122-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-125-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-455-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-458-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-460-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-462-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-464-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-466-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-500-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-470-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-472-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-474-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-476-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-478-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-480-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-482-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-484-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-486-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-488-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-65-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-492-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-494-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-496-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-576-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-68-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-98-0x000000000B489000-0x000000000B48C000-memory.dmp

Filesize
12KB

Download
memory/1704-504-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-506-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-508-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-510-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-512-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-514-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-516-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-518-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-520-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-522-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-524-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-526-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-528-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-530-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-532-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-534-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-536-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-538-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-540-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-542-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-544-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-546-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-548-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-550-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-552-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-554-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-556-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-558-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-560-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-562-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-564-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-566-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-568-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-570-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-572-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-574-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-498-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-578-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-1013-0x0000000066700000-0x000000006683E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-1014-0x000000000B633000-0x000000000B637000-memory.dmp

Filesize
16KB

Download
memory/1704-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download