5808f60c452afaac69a4de6a345209e168a79b2a0c67de5ed0c227e6c4d2cc1c

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-en-20211104
submitted
21/11/2021, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MoleculeV_.bin.exe
Size

461KB
MD5

bb09e9b8daef63d4ebe21fcb2519c5d5
SHA1

9adacd3ed8963404925d72efa1acca50dd9673b8
SHA256

d47e0056a7336be404b2ddf56bdb6897046f6a6ddb0f38bb9f6674ca4c3eaf15
SHA512

18f6d6023d1922a6e81833ef294e7fba4dde436fd67727d30a5f7c9f0b564cd940dca58217222f54454d2177a2fd4303389f4d4e4cd6e2d0290309cfc85f6267

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
564	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	MoleculeV_.bin.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 564	368	MoleculeV_.bin.exe	28
PID 368 wrote to memory of 564	368	MoleculeV_.bin.exe	28
PID 368 wrote to memory of 564	368	MoleculeV_.bin.exe	28
PID 564 wrote to memory of 1544	564	cmd.exe	30
PID 564 wrote to memory of 1544	564	cmd.exe	30
PID 564 wrote to memory of 1544	564	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\MoleculeV_.bin.exe
"C:\Users\Admin\AppData\Local\Temp\MoleculeV_.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MoleculeV_.bin.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-55-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/368-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/368-58-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download