Analysis

  • max time kernel
    24s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    02-05-2022 18:51

General

  • Target

    6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe

  • Size

    4.4MB

  • MD5

    2d964916b664386abe7561039b62231f

  • SHA1

    c72b18c84ffc1cb5a8e9b7a876aa4830bff6e7cc

  • SHA256

    6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1

  • SHA512

    0c18454815efe42302de19d8c1f35b5e54a3ce2f5359f4bcce4f295f88bb823c61fd31edcc95cc1a78a8f08c3460508aaaefeed880fa5f5d06026900ded0f709

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 49 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe
    "C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
        "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
          4⤵
            PID:952
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
            4⤵
              PID:1768
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:564
              • C:\Windows\SysWOW64\attrib.exe
                attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
                5⤵
                • Views/modifies file attributes
                PID:652
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              4⤵
                PID:1164

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

          Filesize

          96KB

          MD5

          5f56f53c24ea5f9bda096511228c9e40

          SHA1

          1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

          SHA256

          4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

          SHA512

          a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

        • C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

          Filesize

          96KB

          MD5

          5f56f53c24ea5f9bda096511228c9e40

          SHA1

          1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

          SHA256

          4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

          SHA512

          a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

        • C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs

          Filesize

          113B

          MD5

          7c274b85448ea218e5c6d5521876f698

          SHA1

          bdd771453446e1e8654985f5c4b7ebb0bb9ada4d

          SHA256

          427b7d229ae6a8717edb0e5cc156c2025d0d737400d6a22d5de9d4504b7b3185

          SHA512

          3c0a482e3f5b628cccae9730fb7fbf2f9e8c6fb7d8c52d39beffe8b3a3de184d2df6d5fa412801eca6cf80a7ee8109394e4918c467af88dac767462f01051df6

        • \Users\Admin\AppData\Roaming\Windows\control\run.exe

          Filesize

          96KB

          MD5

          5f56f53c24ea5f9bda096511228c9e40

          SHA1

          1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

          SHA256

          4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

          SHA512

          a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

        • \Users\Admin\AppData\Roaming\Windows\control\run.exe

          Filesize

          96KB

          MD5

          5f56f53c24ea5f9bda096511228c9e40

          SHA1

          1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

          SHA256

          4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

          SHA512

          a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

        • memory/564-68-0x0000000000000000-mapping.dmp

        • memory/652-70-0x0000000000000000-mapping.dmp

        • memory/952-64-0x0000000000000000-mapping.dmp

        • memory/1064-55-0x0000000000000000-mapping.dmp

        • memory/1164-72-0x0000000000000000-mapping.dmp

        • memory/1524-54-0x0000000076851000-0x0000000076853000-memory.dmp

          Filesize

          8KB

        • memory/1768-66-0x0000000000000000-mapping.dmp

        • memory/2020-61-0x0000000000000000-mapping.dmp