7zS850A099E.zip

General
Target

7zS850A099E/61e74fd8ef830_Tue23593425095.exe

Filesize

1MB

Completed

19-01-2022 08:14

Score
7/10
MD5

c4e681d218d1c9c4efe701b4c7554eb5

SHA1

c3b43d0fbc5ad442067546b9d40c16810bb379da

SHA256

825a970bd11d349ba089e70419036c01ebb8cfd06e4abbec6bf58e9c7566a5e6

Malware Config
Signatures 4

Filter: none

Discovery
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    1488rundll32.exe
    1488rundll32.exe
    1488rundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: GetForegroundWindowSpam
    rundll32.exe

    Reported IOCs

    pidprocess
    1488rundll32.exe
  • Suspicious use of WriteProcessMemory
    61e74fd8ef830_Tue23593425095.execontrol.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1916 wrote to memory of 732191661e74fd8ef830_Tue23593425095.execontrol.exe
    PID 1916 wrote to memory of 732191661e74fd8ef830_Tue23593425095.execontrol.exe
    PID 1916 wrote to memory of 732191661e74fd8ef830_Tue23593425095.execontrol.exe
    PID 1916 wrote to memory of 732191661e74fd8ef830_Tue23593425095.execontrol.exe
    PID 732 wrote to memory of 1488732control.exerundll32.exe
    PID 732 wrote to memory of 1488732control.exerundll32.exe
    PID 732 wrote to memory of 1488732control.exerundll32.exe
    PID 732 wrote to memory of 1488732control.exerundll32.exe
    PID 732 wrote to memory of 1488732control.exerundll32.exe
    PID 732 wrote to memory of 1488732control.exerundll32.exe
    PID 732 wrote to memory of 1488732control.exerundll32.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"
    Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" .\G1V6MSEY.nr
      Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        PID:1488
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr

                          MD5

                          5833d1af3c051231edc6bb9fc58bc81e

                          SHA1

                          b86ad55d34da914eea5d38066d42b23a88196c40

                          SHA256

                          de7810ca5d42e369822bddafe2da5fbba082b4aa72e42d754965fa627985c059

                          SHA512

                          678783d326866c15750389992a61e1ce36770ef2700db4ecc0ea97233489029ba8426bc92b75e6882738da68c6f0d7efee28cd1cd8086198e687f7ae42104058

                        • \Users\Admin\AppData\Local\Temp\G1V6MSEY.nr

                          MD5

                          e23c9c12fa2606d1fdec5aaadbad1394

                          SHA1

                          50be3380f8f8632933e0246261bc8b7311b9bf60

                          SHA256

                          9d6b710539f45ee5aa5d1a54a76f5c7a7768eb7d60c5bc055f842f144ee1859a

                          SHA512

                          65c3eb4183565b32b0407cb4e0ae2e4bd16ac86984ec82574a7994009191994a5c5c4fd2d2303d6f2eea8a1c990e4eeb53def294d31e44f3360691608b0baf38

                        • \Users\Admin\AppData\Local\Temp\G1V6MSEY.nr

                          MD5

                          7d87ed55a79e00508cb6e5e55ccbe5fb

                          SHA1

                          13cad2c8bb4f106ade7de6e0ecee0d352d97fc16

                          SHA256

                          9d0f9c35e2710586177d36f6542ad03038bd9ee55b00068f370147a36eb0f7ed

                          SHA512

                          e537f578bdd280e4368eca6cafb1e53836bca50fdcadfc273d8b7bec86cb3b6eb6053038c62edcbfe0b81c94ce770040421e6dce76ff65fc3489ad9d806992d3

                        • \Users\Admin\AppData\Local\Temp\G1V6MSEY.nr

                          MD5

                          d7f92a486bd9c65871288cbd14bc4430

                          SHA1

                          c70b87bb6d7325331c5d3ae20c3a409775a7b8c9

                          SHA256

                          28b1b1175387e3add1ef6facc53d4adb6b6de20bd68ebda1f042511f82c6760a

                          SHA512

                          62504a63bec75eb2cbab348fe7c1b42fd1368b7d5171b0d2ee69f4aff757f1d5996aae04e10dfcdfea2402378051bd9f1f57f6da47817e533b9576f84c44c9ae

                        • memory/1916-54-0x0000000076041000-0x0000000076043000-memory.dmp