f403e5db7055c16c5608a7c5c5e8d72541f88a83720b84f6ee2a8ed7212f75a8

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-01-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS850A099E/61e74fd8ef830_Tue23593425095.exe
Size

1.6MB
MD5

c4e681d218d1c9c4efe701b4c7554eb5
SHA1

c3b43d0fbc5ad442067546b9d40c16810bb379da
SHA256

825a970bd11d349ba089e70419036c01ebb8cfd06e4abbec6bf58e9c7566a5e6
SHA512

b8d4ee6093835b0ec398f8884097db0bf1026e581743151241fb1489b061ba463dacf35b9af17f49ddc9d22769e9ebd763d9bfdb7e4d99e47a4e256c493ba3b5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

rundll32.exe

pid process

572 rundll32.exe
572 rundll32.exe
572 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

572 rundll32.exe

pid	process
572	rundll32.exe
572	rundll32.exe
572	rundll32.exe

pid	process
572	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

61e74fd8ef830_Tue23593425095.execontrol.exe

description	pid	process	target process
PID 1564 wrote to memory of 1172	1564	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 1564 wrote to memory of 1172	1564	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 1564 wrote to memory of 1172	1564	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 1564 wrote to memory of 1172	1564	61e74fd8ef830_Tue23593425095.exe	control.exe
PID 1172 wrote to memory of 572	1172	control.exe	rundll32.exe
PID 1172 wrote to memory of 572	1172	control.exe	rundll32.exe
PID 1172 wrote to memory of 572	1172	control.exe	rundll32.exe
PID 1172 wrote to memory of 572	1172	control.exe	rundll32.exe
PID 1172 wrote to memory of 572	1172	control.exe	rundll32.exe
PID 1172 wrote to memory of 572	1172	control.exe	rundll32.exe
PID 1172 wrote to memory of 572	1172	control.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe
"C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd8ef830_Tue23593425095.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\G1V6MSEY.nr
2⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\G1V6MSEY.nr
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:572

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
e6bce7d07564e9860761b0b194d3479e

SHA1
93fa94682eaeeff73013a8b483f7e655a61a7971

SHA256
4790a2e705aabb155bd303379709c3d8de1514b38bb0fbe96965303e217acc58

SHA512
23d5277b5c13de3a82a06ce32047e65d51e2dc4420c614876a7fb4dd4863d47e3021af66cbb449714d55f07260440714d608003e46c9e8f347cc3f2dc8dcf6ca

Download Submit
\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
a345b51d41d005c9035fcf679f7c92c9

SHA1
0e48249f29d2dfe1cc3bf4dbcb95e2b94f0efe47

SHA256
ebcceb07721b13601e64df91a02ecaa0c8ee7642c29deeb7c837e6b4f8cc0abd

SHA512
c5246eab56891d4cfad08a30252a5a63be91487600e65173c354900404d52f5e69ae2234fa889614ac7b65065c006645c2eea353cd41a4cfb4757d050a71eae2

Download Submit
\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
719b4e0609bdbda5dbac21d85a7e106a

SHA1
1692e4dc9e8f43ee4592a310a5a821e121566b36

SHA256
3dfc9ccc9fbf3d308c4394addd891f5ce2c0fbe0c4b9a8b35cdd21d4a50b2342

SHA512
b1f80e7086e1cd667abb87a55ffbfa092cf0342bfb092e98f65fd832504c55da10e7e511a29db0082ac014b8fe50346008fafce68d23cee8571c419be2e49cfc

Download Submit
\Users\Admin\AppData\Local\Temp\G1V6MSEY.nr
MD5
e2caa194016570950508549bda67e7d1

SHA1
f3e584ef6878497731f864d4ca851136d8407b42

SHA256
af1874d9e318c330c3f4c0a564a497c1fd4a1adb7f32cf2cbbf7adabe58975c1

SHA512
fdb28280c32799665e5316a3950bce3ba4ed892a9fb84a789ea868c0c8a5ed0e5755a986bc51b0068c8b63b9d0ef7c4ec109ff6311449634870925e67dbf2860

Download Submit
memory/1564-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download