Analysis
-
max time kernel
4294224s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
10-03-2022 13:17
Static task
static1
Behavioral task
behavioral1
Sample
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe
Resource
win7-20220223-en
General
-
Target
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe
-
Size
4.2MB
-
MD5
d59004727742eb8ba309368611e48019
-
SHA1
55b2dce59cf019f819a980a4a142383b8a537a06
-
SHA256
57e10092a0245e6d4d2c2c34100593f38cc6060aef482ca83e676b8715a114af
-
SHA512
dd0c3b1893ef3b7cb0f9b4e565a8839b072b69ac40137622275885616ab25706a4b3effa6696c94ff9a41ee6cbd7fab5abbaa2ed97a7798ca04bb184be9c52f3
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 5 1568 WScript.exe 6 1568 WScript.exe 7 1568 WScript.exe 9 1568 WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
winrar-x64-591th.exepid process 516 winrar-x64-591th.exe 1416 -
Loads dropped DLL 1 IoCs
Processes:
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exepid process 376 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
winrar-x64-591th.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main winrar-x64-591th.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winrar-x64-591th.exepid process 516 winrar-x64-591th.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
winrar-x64-591th.exepid process 516 winrar-x64-591th.exe 516 winrar-x64-591th.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exeWScript.exedescription pid process target process PID 376 wrote to memory of 516 376 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe winrar-x64-591th.exe PID 376 wrote to memory of 516 376 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe winrar-x64-591th.exe PID 376 wrote to memory of 516 376 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe winrar-x64-591th.exe PID 376 wrote to memory of 1568 376 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe WScript.exe PID 376 wrote to memory of 1568 376 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe WScript.exe PID 376 wrote to memory of 1568 376 57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe WScript.exe PID 1568 wrote to memory of 924 1568 WScript.exe schtasks.exe PID 1568 wrote to memory of 924 1568 WScript.exe schtasks.exe PID 1568 wrote to memory of 924 1568 WScript.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe"C:\Users\Admin\AppData\Local\Temp\57E10092A0245E6D4D2C2C34100593F38CC6060AEF482.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exe"C:\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Activator_cheker.JS"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\ProgramData\Activator_cheker.JS3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Activator_cheker.JSMD5
01aa3142b7853a1bf64c3b4527473dc6
SHA1b72242e7af597ebed02174f84a4c3cdd20b397a2
SHA256623ed43a12af43c757ab5b6f2699dcb5a766022a6855a87e2597d4842b8b0b0e
SHA5125b941ce3b7a13666b079fe4e90bdb413a93cefa59a4260778c2e133d61e90859301d94a26d705d00c61528aac3baf90efe9aaa89318a0970be520be12be861fb
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exeMD5
b17cbd558269b27a6619e0547eb38f3d
SHA1eecbbfe8508fa501a1a6873a60d1016faba02b45
SHA256482e35b1769307cff7d9a55942c4880c2dd768dfaa43cf4e47d382c7c0e68e72
SHA512d3c4e36e61cab55d604dedbdf3693d916c27958e4196442602c277cc5e81ddba2c5d1551c87a226bdb85128a530680de08215ae41bba83507a430f594925004a
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exeMD5
b17cbd558269b27a6619e0547eb38f3d
SHA1eecbbfe8508fa501a1a6873a60d1016faba02b45
SHA256482e35b1769307cff7d9a55942c4880c2dd768dfaa43cf4e47d382c7c0e68e72
SHA512d3c4e36e61cab55d604dedbdf3693d916c27958e4196442602c277cc5e81ddba2c5d1551c87a226bdb85128a530680de08215ae41bba83507a430f594925004a
-
\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exeMD5
b17cbd558269b27a6619e0547eb38f3d
SHA1eecbbfe8508fa501a1a6873a60d1016faba02b45
SHA256482e35b1769307cff7d9a55942c4880c2dd768dfaa43cf4e47d382c7c0e68e72
SHA512d3c4e36e61cab55d604dedbdf3693d916c27958e4196442602c277cc5e81ddba2c5d1551c87a226bdb85128a530680de08215ae41bba83507a430f594925004a
-
\Users\Admin\AppData\Local\Temp\winrar-x64-591th.exeMD5
b17cbd558269b27a6619e0547eb38f3d
SHA1eecbbfe8508fa501a1a6873a60d1016faba02b45
SHA256482e35b1769307cff7d9a55942c4880c2dd768dfaa43cf4e47d382c7c0e68e72
SHA512d3c4e36e61cab55d604dedbdf3693d916c27958e4196442602c277cc5e81ddba2c5d1551c87a226bdb85128a530680de08215ae41bba83507a430f594925004a
-
memory/376-54-0x000007FEFC0F1000-0x000007FEFC0F3000-memory.dmpFilesize
8KB