c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14

Analysis

max time kernel
4294183s
max time network
128s
platform
windows7_x64
resource
win7-20220311-en
submitted
27-03-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe
Size

8.2MB
MD5

478e874435babd1f3e3d9c382c3f868b
SHA1

9e8fccdfb2400cd286cfb8e9a7e2c4e4b932892c
SHA256

c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14
SHA512

23cbf711d51221989f7b344c523f3b0206bef562d3d7d0c2681c39eda515a292a3db5265ee9430f854561ad97412ceea4b5ec6c636e8d67c985c6042251e975c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2004	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
640	IsCabView.exe
1728	topoedit.exe

Loads dropped DLL 3 IoCs

pid	Process
2020	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe
908	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe
1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2004	2020	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	27
PID 2020 wrote to memory of 2004	2020	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	27
PID 2020 wrote to memory of 2004	2020	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	27
PID 2020 wrote to memory of 2004	2020	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	27
PID 2020 wrote to memory of 2004	2020	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	27
PID 2020 wrote to memory of 2004	2020	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	27
PID 2020 wrote to memory of 2004	2020	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	27
PID 2004 wrote to memory of 908	2004	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	28
PID 2004 wrote to memory of 908	2004	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	28
PID 2004 wrote to memory of 908	2004	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	28
PID 2004 wrote to memory of 908	2004	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	28
PID 2004 wrote to memory of 908	2004	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	28
PID 2004 wrote to memory of 908	2004	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	28
PID 2004 wrote to memory of 908	2004	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	28
PID 908 wrote to memory of 1592	908	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	29
PID 908 wrote to memory of 1592	908	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	29
PID 908 wrote to memory of 1592	908	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	29
PID 908 wrote to memory of 1592	908	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	29
PID 908 wrote to memory of 1592	908	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	29
PID 908 wrote to memory of 1592	908	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	29
PID 908 wrote to memory of 1592	908	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	29
PID 1592 wrote to memory of 640	1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	30
PID 1592 wrote to memory of 640	1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	30
PID 1592 wrote to memory of 640	1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	30
PID 1592 wrote to memory of 640	1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	30
PID 1592 wrote to memory of 640	1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	30
PID 1592 wrote to memory of 640	1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	30
PID 1592 wrote to memory of 640	1592	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	30

C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe
"C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\is-P6O5P.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P6O5P.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp" /SL5="$400DA,7739299,780800,C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe
    "C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\is-0T5ST.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0T5ST.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp" /SL5="$500DA,7739299,780800,C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Users\Admin\AppData\Roaming\Directory Monitor\IsCabView.exe
        
        "C:\Users\Admin\AppData\Roaming\Directory Monitor\IsCabView.exe"
        5⤵
        Executes dropped EXE
        
        PID:640
    - - C:\Users\Admin\AppData\Roaming\Directory Monitor\topoedit.exe
        
        "C:\Users\Admin\AppData\Roaming\Directory Monitor\topoedit.exe"
        5⤵
        Executes dropped EXE
        
        PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0T5ST.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Filesize
3.0MB

MD5
2193a48f602050074f8c3b779d7ff4d1

SHA1
33ce1181833b2f8009213d3237ccab96d8c27594

SHA256
bf7e946ca708f8ee4815dbb2347f9067fb0e564127b4864c4b6f6bb13a091fa8

SHA512
14d9078972dc5ac9a9621e869568427c02772e60714e11b8864dea37dd2760b32d74ffe870312aa064491962bbbb354850e6fef18666c6fde6556e4f163afe91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P6O5P.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Filesize
3.0MB

MD5
2193a48f602050074f8c3b779d7ff4d1

SHA1
33ce1181833b2f8009213d3237ccab96d8c27594

SHA256
bf7e946ca708f8ee4815dbb2347f9067fb0e564127b4864c4b6f6bb13a091fa8

SHA512
14d9078972dc5ac9a9621e869568427c02772e60714e11b8864dea37dd2760b32d74ffe870312aa064491962bbbb354850e6fef18666c6fde6556e4f163afe91

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\IsCabView.exe

Filesize
1.5MB

MD5
e98f599801e6dd5e652f830591be9438

SHA1
f3237ac703649c23e3eb3482fb0ac932d3c61801

SHA256
7c0c00d7fe55cce5cc4deb15948eab7d69d61344c432aaaff168f1f15f69d78e

SHA512
a1f12328e84b4bfabcf51dfac26e7a78cd598ef3aac5decfeedd5f032680b661054a1615870aec7e94b2d9e34eb6a656cf14b166e115cb18988f6424ff215706

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\topoedit.exe

Filesize
151KB

MD5
d80a26a6547ce365a0645ba639be43f2

SHA1
4854e4b492254c2c980f6cd8875bdf55edfec7f5

SHA256
a6edd9c0456423e561259f434ad4cab6d61ad7ff6bab80bbc13a0a72de410430

SHA512
fd0e20c24becaecc32ceb789ed1fc9d31bdbdc2cb565c09a444678e6ba738561a4eb22cb5946180945f38ec71e82c11b0356ca1c226b2d6aa99e18cc0120f9fb

Download Submit
\Users\Admin\AppData\Local\Temp\is-0T5ST.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Filesize
3.0MB

MD5
2193a48f602050074f8c3b779d7ff4d1

SHA1
33ce1181833b2f8009213d3237ccab96d8c27594

SHA256
bf7e946ca708f8ee4815dbb2347f9067fb0e564127b4864c4b6f6bb13a091fa8

SHA512
14d9078972dc5ac9a9621e869568427c02772e60714e11b8864dea37dd2760b32d74ffe870312aa064491962bbbb354850e6fef18666c6fde6556e4f163afe91

Download Submit
\Users\Admin\AppData\Local\Temp\is-P6O5P.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Filesize
3.0MB

MD5
2193a48f602050074f8c3b779d7ff4d1

SHA1
33ce1181833b2f8009213d3237ccab96d8c27594

SHA256
bf7e946ca708f8ee4815dbb2347f9067fb0e564127b4864c4b6f6bb13a091fa8

SHA512
14d9078972dc5ac9a9621e869568427c02772e60714e11b8864dea37dd2760b32d74ffe870312aa064491962bbbb354850e6fef18666c6fde6556e4f163afe91

Download Submit
\Users\Admin\AppData\Roaming\Directory Monitor\IsCabView.exe

Filesize
1.5MB

MD5
e98f599801e6dd5e652f830591be9438

SHA1
f3237ac703649c23e3eb3482fb0ac932d3c61801

SHA256
7c0c00d7fe55cce5cc4deb15948eab7d69d61344c432aaaff168f1f15f69d78e

SHA512
a1f12328e84b4bfabcf51dfac26e7a78cd598ef3aac5decfeedd5f032680b661054a1615870aec7e94b2d9e34eb6a656cf14b166e115cb18988f6424ff215706

Download Submit
memory/908-64-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/908-70-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1592-71-0x0000000074131000-0x0000000074133000-memory.dmp

Filesize
8KB

Download
memory/2020-61-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2020-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/2020-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download