Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-01-2022 08:10

General

  • Target

    7zS850A099E/61e74fd8ef830_Tue23593425095.exe

  • Size

    1.6MB

  • MD5

    c4e681d218d1c9c4efe701b4c7554eb5

  • SHA1

    c3b43d0fbc5ad442067546b9d40c16810bb379da

  • SHA256

    825a970bd11d349ba089e70419036c01ebb8cfd06e4abbec6bf58e9c7566a5e6

  • SHA512

    b8d4ee6093835b0ec398f8884097db0bf1026e581743151241fb1489b061ba463dacf35b9af17f49ddc9d22769e9ebd763d9bfdb7e4d99e47a4e256c493ba3b5

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" .\G1V6MSEY.nr
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
    MD5

    5833d1af3c051231edc6bb9fc58bc81e

    SHA1

    b86ad55d34da914eea5d38066d42b23a88196c40

    SHA256

    de7810ca5d42e369822bddafe2da5fbba082b4aa72e42d754965fa627985c059

    SHA512

    678783d326866c15750389992a61e1ce36770ef2700db4ecc0ea97233489029ba8426bc92b75e6882738da68c6f0d7efee28cd1cd8086198e687f7ae42104058

  • \Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
    MD5

    e23c9c12fa2606d1fdec5aaadbad1394

    SHA1

    50be3380f8f8632933e0246261bc8b7311b9bf60

    SHA256

    9d6b710539f45ee5aa5d1a54a76f5c7a7768eb7d60c5bc055f842f144ee1859a

    SHA512

    65c3eb4183565b32b0407cb4e0ae2e4bd16ac86984ec82574a7994009191994a5c5c4fd2d2303d6f2eea8a1c990e4eeb53def294d31e44f3360691608b0baf38

  • \Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
    MD5

    7d87ed55a79e00508cb6e5e55ccbe5fb

    SHA1

    13cad2c8bb4f106ade7de6e0ecee0d352d97fc16

    SHA256

    9d0f9c35e2710586177d36f6542ad03038bd9ee55b00068f370147a36eb0f7ed

    SHA512

    e537f578bdd280e4368eca6cafb1e53836bca50fdcadfc273d8b7bec86cb3b6eb6053038c62edcbfe0b81c94ce770040421e6dce76ff65fc3489ad9d806992d3

  • \Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
    MD5

    d7f92a486bd9c65871288cbd14bc4430

    SHA1

    c70b87bb6d7325331c5d3ae20c3a409775a7b8c9

    SHA256

    28b1b1175387e3add1ef6facc53d4adb6b6de20bd68ebda1f042511f82c6760a

    SHA512

    62504a63bec75eb2cbab348fe7c1b42fd1368b7d5171b0d2ee69f4aff757f1d5996aae04e10dfcdfea2402378051bd9f1f57f6da47817e533b9576f84c44c9ae

  • memory/1916-54-0x0000000076041000-0x0000000076043000-memory.dmp
    Filesize

    8KB