ecf857c6d2ddb6613dc98b490ca582e6627a5e2c23ef0df093fee897c34f08de

Resubmissions

07-05-2022 12:46

220507-pz56kscdh7 8

07-05-2022 05:23

220507-f25hdscae6 8

06-05-2022 12:59

220506-p724wshhc3 8

Analysis

max time kernel
39s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-05-2022 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194abc8ffd472dbd563e0cd1df8e3755.exe
Size

4.1MB
MD5

194abc8ffd472dbd563e0cd1df8e3755
SHA1

a6fb5ff7d555234ebdfe0dba332dd946192a19f9
SHA256

ecf857c6d2ddb6613dc98b490ca582e6627a5e2c23ef0df093fee897c34f08de
SHA512

225c849e8993fbe464d8511108e60892f4d35e5aabf8773340bad7078ba1f6d41c12094a6d89a539697c5671d92254f2072e7eed42576b8f3edb1de5c71ae00c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1456	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1868	194abc8ffd472dbd563e0cd1df8e3755.exe
1868	194abc8ffd472dbd563e0cd1df8e3755.exe
1868	194abc8ffd472dbd563e0cd1df8e3755.exe
1868	194abc8ffd472dbd563e0cd1df8e3755.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1456	1868	194abc8ffd472dbd563e0cd1df8e3755.exe	26
PID 1868 wrote to memory of 1456	1868	194abc8ffd472dbd563e0cd1df8e3755.exe	26
PID 1868 wrote to memory of 1456	1868	194abc8ffd472dbd563e0cd1df8e3755.exe	26
PID 1868 wrote to memory of 1456	1868	194abc8ffd472dbd563e0cd1df8e3755.exe	26
PID 1868 wrote to memory of 1456	1868	194abc8ffd472dbd563e0cd1df8e3755.exe	26
PID 1868 wrote to memory of 1456	1868	194abc8ffd472dbd563e0cd1df8e3755.exe	26
PID 1868 wrote to memory of 1456	1868	194abc8ffd472dbd563e0cd1df8e3755.exe	26

C:\Users\Admin\AppData\Local\Temp\194abc8ffd472dbd563e0cd1df8e3755.exe
"C:\Users\Admin\AppData\Local\Temp\194abc8ffd472dbd563e0cd1df8e3755.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
553KB

MD5
0cf99e8a42dec39d9f7d689fe417b6fc

SHA1
0da82b5614e42f2c68d530f4b38deac48a5a6cad

SHA256
78c3d9f71334b5ec5f3db6f70d7c9d6080f82181cbcfcc234c05f8744c7b8ba1

SHA512
a12d3631d553433e0a9a08422e72cbc360a2f32da5fec46af61143fa76404245eb9583028cfd8d79dd93f46f3eeb526d540994e6469b33517b9f9d96acc19a45

Download Submit
memory/1868-54-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download