Analysis
-
max time kernel
24s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 18:51
Static task
static1
Behavioral task
behavioral1
Sample
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe
Resource
win7-20220414-en
General
-
Target
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe
-
Size
4.4MB
-
MD5
2d964916b664386abe7561039b62231f
-
SHA1
c72b18c84ffc1cb5a8e9b7a876aa4830bff6e7cc
-
SHA256
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1
-
SHA512
0c18454815efe42302de19d8c1f35b5e54a3ce2f5359f4bcce4f295f88bb823c61fd31edcc95cc1a78a8f08c3460508aaaefeed880fa5f5d06026900ded0f709
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
run.exepid process 2020 run.exe -
Loads dropped DLL 2 IoCs
Processes:
WScript.exepid process 1064 WScript.exe 1064 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exeWScript.exerun.execmd.exedescription pid process target process PID 1524 wrote to memory of 1064 1524 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 1524 wrote to memory of 1064 1524 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 1524 wrote to memory of 1064 1524 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 1524 wrote to memory of 1064 1524 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 1524 wrote to memory of 1064 1524 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 1524 wrote to memory of 1064 1524 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 1524 wrote to memory of 1064 1524 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 1064 wrote to memory of 2020 1064 WScript.exe run.exe PID 1064 wrote to memory of 2020 1064 WScript.exe run.exe PID 1064 wrote to memory of 2020 1064 WScript.exe run.exe PID 1064 wrote to memory of 2020 1064 WScript.exe run.exe PID 1064 wrote to memory of 2020 1064 WScript.exe run.exe PID 1064 wrote to memory of 2020 1064 WScript.exe run.exe PID 1064 wrote to memory of 2020 1064 WScript.exe run.exe PID 2020 wrote to memory of 952 2020 run.exe cmd.exe PID 2020 wrote to memory of 952 2020 run.exe cmd.exe PID 2020 wrote to memory of 952 2020 run.exe cmd.exe PID 2020 wrote to memory of 952 2020 run.exe cmd.exe PID 2020 wrote to memory of 952 2020 run.exe cmd.exe PID 2020 wrote to memory of 952 2020 run.exe cmd.exe PID 2020 wrote to memory of 952 2020 run.exe cmd.exe PID 2020 wrote to memory of 1768 2020 run.exe cmd.exe PID 2020 wrote to memory of 1768 2020 run.exe cmd.exe PID 2020 wrote to memory of 1768 2020 run.exe cmd.exe PID 2020 wrote to memory of 1768 2020 run.exe cmd.exe PID 2020 wrote to memory of 1768 2020 run.exe cmd.exe PID 2020 wrote to memory of 1768 2020 run.exe cmd.exe PID 2020 wrote to memory of 1768 2020 run.exe cmd.exe PID 2020 wrote to memory of 564 2020 run.exe cmd.exe PID 2020 wrote to memory of 564 2020 run.exe cmd.exe PID 2020 wrote to memory of 564 2020 run.exe cmd.exe PID 2020 wrote to memory of 564 2020 run.exe cmd.exe PID 2020 wrote to memory of 564 2020 run.exe cmd.exe PID 2020 wrote to memory of 564 2020 run.exe cmd.exe PID 2020 wrote to memory of 564 2020 run.exe cmd.exe PID 564 wrote to memory of 652 564 cmd.exe attrib.exe PID 564 wrote to memory of 652 564 cmd.exe attrib.exe PID 564 wrote to memory of 652 564 cmd.exe attrib.exe PID 564 wrote to memory of 652 564 cmd.exe attrib.exe PID 564 wrote to memory of 652 564 cmd.exe attrib.exe PID 564 wrote to memory of 652 564 cmd.exe attrib.exe PID 564 wrote to memory of 652 564 cmd.exe attrib.exe PID 2020 wrote to memory of 1164 2020 run.exe cmd.exe PID 2020 wrote to memory of 1164 2020 run.exe cmd.exe PID 2020 wrote to memory of 1164 2020 run.exe cmd.exe PID 2020 wrote to memory of 1164 2020 run.exe cmd.exe PID 2020 wrote to memory of 1164 2020 run.exe cmd.exe PID 2020 wrote to memory of 1164 2020 run.exe cmd.exe PID 2020 wrote to memory of 1164 2020 run.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"4⤵PID:952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"4⤵PID:1768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp4⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp5⤵
- Views/modifies file attributes
PID:652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD55f56f53c24ea5f9bda096511228c9e40
SHA11103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA2564ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb
-
Filesize
96KB
MD55f56f53c24ea5f9bda096511228c9e40
SHA11103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA2564ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb
-
Filesize
113B
MD57c274b85448ea218e5c6d5521876f698
SHA1bdd771453446e1e8654985f5c4b7ebb0bb9ada4d
SHA256427b7d229ae6a8717edb0e5cc156c2025d0d737400d6a22d5de9d4504b7b3185
SHA5123c0a482e3f5b628cccae9730fb7fbf2f9e8c6fb7d8c52d39beffe8b3a3de184d2df6d5fa412801eca6cf80a7ee8109394e4918c467af88dac767462f01051df6
-
Filesize
96KB
MD55f56f53c24ea5f9bda096511228c9e40
SHA11103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA2564ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb
-
Filesize
96KB
MD55f56f53c24ea5f9bda096511228c9e40
SHA11103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA2564ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb