Overview

overview

10

Static

static

68c7e900bb...e8.exe

windows7_x64

10

68c7e900bb...e8.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    168s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68c7e900bb693ec6d37b54b67804cda4f6da7ffa046678e9632898710ef17fe8.exe

  • Size

    23.8MB

  • MD5

    ed161d7cba77635b7a144d4c78dd1095

  • SHA1

    aa36d448fb0220e1e085269d6eea1e985fece913

  • SHA256

    68c7e900bb693ec6d37b54b67804cda4f6da7ffa046678e9632898710ef17fe8

  • SHA512

    f4de6b1a3e86232ac6e30fe51a2d2750a459a701abca1bdee81ad746ce65e6e9d84240a00e84e5134ab7e374f2709dc6375c05191a2cbf5b1f267041a2111c6c

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68c7e900bb693ec6d37b54b67804cda4f6da7ffa046678e9632898710ef17fe8.exe
    "C:\Users\Admin\AppData\Local\Temp\68c7e900bb693ec6d37b54b67804cda4f6da7ffa046678e9632898710ef17fe8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Users\Admin\AppData\Local\Temp\is-PM6DK.tmp\68c7e900bb693ec6d37b54b67804cda4f6da7ffa046678e9632898710ef17fe8.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PM6DK.tmp\68c7e900bb693ec6d37b54b67804cda4f6da7ffa046678e9632898710ef17fe8.tmp" /SL5="$70028,24208968,747008,C:\Users\Admin\AppData\Local\Temp\68c7e900bb693ec6d37b54b67804cda4f6da7ffa046678e9632898710ef17fe8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Program Files (x86)\IObit Uninstaller Pro 9.5.0.15.exe
        "C:\Program Files (x86)\IObit Uninstaller Pro 9.5.0.15.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3120
        • C:\Users\Admin\AppData\Local\Temp\is-RCMOR.tmp\IObit Uninstaller Pro 9.5.0.15.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-RCMOR.tmp\IObit Uninstaller Pro 9.5.0.15.tmp" /SL5="$220022,17055524,79872,C:\Program Files (x86)\IObit Uninstaller Pro 9.5.0.15.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\SysWOW64\net.exe
            "net" stop "IObit Uninstaller Service"
            5⤵
              PID:1836

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\IObit Uninstaller Pro 9.5.0.15.exe
      Filesize

      16.6MB

      MD5

      b94949bc0cf7c7b3ecb695b33f0069d2

      SHA1

      0ad91e26503080fbcf9f5e1acfaafdb3f9664bef

      SHA256

      a1b83b65615abb8d2f7efe2614473f25af101ba8699c8878a85288f871a93e6f

      SHA512

      493f3af236b2c59222237b853644b8a050bfd10bfd2ca127416259aaf69fd18a22e93d6fdfe3b96a93acc861f3acad54e367ef322a132c4549fee821beb0dced

      Download Submit
    • C:\Program Files (x86)\IObit Uninstaller Pro 9.5.0.15.exe
      Filesize

      16.6MB

      MD5

      b94949bc0cf7c7b3ecb695b33f0069d2

      SHA1

      0ad91e26503080fbcf9f5e1acfaafdb3f9664bef

      SHA256

      a1b83b65615abb8d2f7efe2614473f25af101ba8699c8878a85288f871a93e6f

      SHA512

      493f3af236b2c59222237b853644b8a050bfd10bfd2ca127416259aaf69fd18a22e93d6fdfe3b96a93acc861f3acad54e367ef322a132c4549fee821beb0dced

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\is-KV70K.tmp\_isetup\_iscrypt.dll
      Filesize

      2KB

      MD5

      a69559718ab506675e907fe49deb71e9

      SHA1

      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

      SHA256

      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

      SHA512

      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\is-PM6DK.tmp\68c7e900bb693ec6d37b54b67804cda4f6da7ffa046678e9632898710ef17fe8.tmp
      Filesize

      2.4MB

      MD5

      c61664ff8eeba236d0dc75aa2e4434ea

      SHA1

      8a2fe3fab17cfa09b6aa972e3776e367b5950ff2

      SHA256

      9f6a5b21dd98317466ff936420191b7053e68c3c69573ef0ef0abf81598ce943

      SHA512

      437f2947e84f5e5ba3ae49b0dda8db43a5a04c7367c69b38a5b76fc24624b4eadd066d6881b0edcb0add016ae0c9aadea09738730eb4be55ddf60371ed876d99

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\is-RCMOR.tmp\IObit Uninstaller Pro 9.5.0.15.tmp
      Filesize

      925KB

      MD5

      ef7fc3c2ed7787654ceed06b68263b36

      SHA1

      ca3722592a75a4ce9b7a77568cc9c94e473d4ebb

      SHA256

      b875919598df0d881102f1865f59fa805b15d999862f4ccc96c64e2bdf2b0ed5

      SHA512

      d0e01cbee477056e54c597953c9ca83d221f51abbf7fa2450b9e01ffc701956d62d926dd732b729c55c58896d0395ad1a25738d248e381b8d5a22c270c1d1f15

      Download Submit
    • memory/1836-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1932-142-0x0000000000000000-mapping.dmp
      Download
    • memory/3120-141-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3120-138-0x0000000000400000-0x000000000041A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3120-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4048-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4688-130-0x0000000000400000-0x00000000004C4000-memory.dmp
      Filesize

      784KB

      Download
    • memory/4688-134-0x0000000000400000-0x00000000004C4000-memory.dmp
      Filesize

      784KB

      Download