Overview

overview

8

Static

static

17c6f4e45d...3f.exe

windows7_x64

8

17c6f4e45d...3f.exe

windows10_x64

8

Resubmissions

19-01-2022 16:33

220119-t2qacsbeh6 10

25-11-2021 12:35

211125-pskw3aaee2 8

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    25-11-2021 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe

  • Size

    6.5MB

  • MD5

    b16e827ee8db29cb90c85570f41b9409

  • SHA1

    ae319c1b25eebe9b6256d9efce5da495e7483c77

  • SHA256

    17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f

  • SHA512

    496e5e096ca6dde20dbe220cd7a628fdee4803a0ba82b961e322b206cf65f7b0b5748ff51f5fd2dec26e3329ae6208f12d570ea7158cbe08d8ddf2ed4e7684c1

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe
    "C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11 0.0.1.7\install\AC3E5AF\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1637584144 " AI_EUIMSI=""
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:1120
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DC157D6EC763AD0EA7B29F4791DCA432 C
      2⤵
      • Loads dropped DLL
      PID:936
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 45F8B7851849D9517649299917538103
      2⤵
      • Loads dropped DLL
      PID:1956
    • C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11\evreporter.exe
      "C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11\evreporter.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1064

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/792-55-0x0000000075A01000-0x0000000075A03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1664-58-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

    Filesize

    8KB

    Download