Analysis
-
max time kernel
121s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 17:33
Static task
static1
Behavioral task
behavioral1
Sample
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
Resource
win10-en-20211208
General
-
Target
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
-
Size
611KB
-
MD5
69a643800f737f841917023ae7ee9b34
-
SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec
-
SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca
-
SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
لحلحرطلرطلتداك.exepid process 416 لحلحرطلرطلتداك.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exeلحلحرطلرطلتداك.exepid process 3516 74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe 3516 74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe 416 لحلحرطلرطلتداك.exe 416 لحلحرطلرطلتداك.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exeلحلحرطلرطلتداك.exedescription pid process target process PID 3516 wrote to memory of 416 3516 74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe لحلحرطلرطلتداك.exe PID 3516 wrote to memory of 416 3516 74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe لحلحرطلرطلتداك.exe PID 3516 wrote to memory of 416 3516 74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe لحلحرطلرطلتداك.exe PID 416 wrote to memory of 4264 416 لحلحرطلرطلتداك.exe svchost.exe PID 416 wrote to memory of 4264 416 لحلحرطلرطلتداك.exe svchost.exe PID 416 wrote to memory of 4264 416 لحلحرطلرطلتداك.exe svchost.exe PID 416 wrote to memory of 4264 416 لحلحرطلرطلتداك.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe"C:\Users\Admin\AppData\Local\Temp\74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\لحلحرطلرطلتداك.exe"C:\ProgramData\لحلحرطلرطلتداك.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\لحلحرطلرطلتداك.exeMD5
69a643800f737f841917023ae7ee9b34
SHA1effda16b763f8d6fd4f2baf7779367eabf9678ec
SHA25674851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca
SHA512543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c
-
C:\ProgramData\لحلحرطلرطلتداك.exeMD5
69a643800f737f841917023ae7ee9b34
SHA1effda16b763f8d6fd4f2baf7779367eabf9678ec
SHA25674851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca
SHA512543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c
-
memory/416-122-0x0000000000520000-0x000000000066A000-memory.dmpFilesize
1.3MB
-
memory/4264-125-0x000002A0A5810000-0x000002A0A582E000-memory.dmpFilesize
120KB