Overview

overview

8

Static

static

One-Page-L...as.exe

windows7_x64

8

One-Page-L...as.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    4294185s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    12-03-2022 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    One-Page-Lease-Agreement-Texas.exe

  • Size

    261.0MB

  • MD5

    7194384ed0ce511e24b0e119d0d068f6

  • SHA1

    9ea9e3f52602988a922e8d8fda000f060be2b248

  • SHA256

    7cc35fbce4b353c541f1ee62366248cc072d1c7ce38b1d5ef5db4a2414f26e08

  • SHA512

    0faea84e368d301b7b056630b82c9f2a49f01252e66f5699ddf81f879d22fc74e08a810252e87a58cd9e5b147e9c1682678308781d08fd65e2edb2c8017c98d7

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe
    "C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\qhjjfwcr.exe
      "C:\Users\Admin\AppData\Local\Temp\qhjjfwcr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1748
    • C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe
      "C:\Users\Admin\AppData\Local\Temp\One-Page-Lease-Agreement-Texas.exe" /r
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1176 -s 592
        3⤵
        • Program crash
        PID:1616
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 89C08C382447DE4EBB0ED41BA4125F2E C
      2⤵
      • Loads dropped DLL
      PID:1916

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/432-66-0x000007FEFC121000-0x000007FEFC123000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1176-60-0x000000001B2F0000-0x000000001B2F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1176-59-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1268-54-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1268-56-0x000000001B170000-0x000000001B172000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1268-55-0x0000000000AF0000-0x0000000000F98000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1748-63-0x0000000074881000-0x0000000074883000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1748-62-0x0000000000520000-0x0000000000521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1748-58-0x0000000075A31000-0x0000000075A33000-memory.dmp

    Filesize

    8KB

    Download