3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c

Analysis

max time kernel
54s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-05-2022 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe
Size

4.4MB
MD5

e9f2ee42a89a766fdf4d2e7a210e4c9d
SHA1

a8129abd67e4f89ddb6abd0ffbf6ff4a6a7dfee5
SHA256

3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c
SHA512

ecbc01684ca05081206f5805ff9894eda21421c7fcd21c8aab0717adb97e4d5d65d5d26d63e056899a5dc62852c4799691000cb6ae4fcf966faa309e71ffa35c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2012	run.exe

Loads dropped DLL 2 IoCs

pid	Process
944	WScript.exe
944	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 944	1880	3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe	27
PID 1880 wrote to memory of 944	1880	3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe	27
PID 1880 wrote to memory of 944	1880	3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe	27
PID 1880 wrote to memory of 944	1880	3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe	27
PID 1880 wrote to memory of 944	1880	3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe	27
PID 1880 wrote to memory of 944	1880	3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe	27
PID 1880 wrote to memory of 944	1880	3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe	27
PID 944 wrote to memory of 2012	944	WScript.exe	28
PID 944 wrote to memory of 2012	944	WScript.exe	28
PID 944 wrote to memory of 2012	944	WScript.exe	28
PID 944 wrote to memory of 2012	944	WScript.exe	28
PID 944 wrote to memory of 2012	944	WScript.exe	28
PID 944 wrote to memory of 2012	944	WScript.exe	28
PID 944 wrote to memory of 2012	944	WScript.exe	28
PID 2012 wrote to memory of 276	2012	run.exe	30
PID 2012 wrote to memory of 276	2012	run.exe	30
PID 2012 wrote to memory of 276	2012	run.exe	30
PID 2012 wrote to memory of 276	2012	run.exe	30
PID 2012 wrote to memory of 276	2012	run.exe	30
PID 2012 wrote to memory of 276	2012	run.exe	30
PID 2012 wrote to memory of 276	2012	run.exe	30
PID 2012 wrote to memory of 1724	2012	run.exe	31
PID 2012 wrote to memory of 1724	2012	run.exe	31
PID 2012 wrote to memory of 1724	2012	run.exe	31
PID 2012 wrote to memory of 1724	2012	run.exe	31
PID 2012 wrote to memory of 1724	2012	run.exe	31
PID 2012 wrote to memory of 1724	2012	run.exe	31
PID 2012 wrote to memory of 1724	2012	run.exe	31
PID 2012 wrote to memory of 1076	2012	run.exe	32
PID 2012 wrote to memory of 1076	2012	run.exe	32
PID 2012 wrote to memory of 1076	2012	run.exe	32
PID 2012 wrote to memory of 1076	2012	run.exe	32
PID 2012 wrote to memory of 1076	2012	run.exe	32
PID 2012 wrote to memory of 1076	2012	run.exe	32
PID 2012 wrote to memory of 1076	2012	run.exe	32
PID 1076 wrote to memory of 1164	1076	cmd.exe	33
PID 1076 wrote to memory of 1164	1076	cmd.exe	33
PID 1076 wrote to memory of 1164	1076	cmd.exe	33
PID 1076 wrote to memory of 1164	1076	cmd.exe	33
PID 1076 wrote to memory of 1164	1076	cmd.exe	33
PID 1076 wrote to memory of 1164	1076	cmd.exe	33
PID 1076 wrote to memory of 1164	1076	cmd.exe	33
PID 2012 wrote to memory of 280	2012	run.exe	34
PID 2012 wrote to memory of 280	2012	run.exe	34
PID 2012 wrote to memory of 280	2012	run.exe	34
PID 2012 wrote to memory of 280	2012	run.exe	34
PID 2012 wrote to memory of 280	2012	run.exe	34
PID 2012 wrote to memory of 280	2012	run.exe	34
PID 2012 wrote to memory of 280	2012	run.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe
"C:\Users\Admin\AppData\Local\Temp\3f7dab7cdfdb383c4d7b5f950e1336eb41e3288c958ba4936419d41a40bbd31c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Roaming\Windows\control\run.exe
    "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
      4⤵
      PID:276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
        5⤵
        Views/modifies file attributes
        
        PID:1164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

Filesize
96KB

MD5
5f56f53c24ea5f9bda096511228c9e40

SHA1
1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

SHA256
4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

SHA512
a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\run.exe

Filesize
96KB

MD5
5f56f53c24ea5f9bda096511228c9e40

SHA1
1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

SHA256
4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

SHA512
a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs

Filesize
113B

MD5
7c274b85448ea218e5c6d5521876f698

SHA1
bdd771453446e1e8654985f5c4b7ebb0bb9ada4d

SHA256
427b7d229ae6a8717edb0e5cc156c2025d0d737400d6a22d5de9d4504b7b3185

SHA512
3c0a482e3f5b628cccae9730fb7fbf2f9e8c6fb7d8c52d39beffe8b3a3de184d2df6d5fa412801eca6cf80a7ee8109394e4918c467af88dac767462f01051df6

Download Submit
\Users\Admin\AppData\Roaming\Windows\control\run.exe

Filesize
96KB

MD5
5f56f53c24ea5f9bda096511228c9e40

SHA1
1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

SHA256
4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

SHA512
a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

Download Submit
\Users\Admin\AppData\Roaming\Windows\control\run.exe

Filesize
96KB

MD5
5f56f53c24ea5f9bda096511228c9e40

SHA1
1103ed5f6571a334dfae63fefeb0d1f3a2a616c2

SHA256
4ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4

SHA512
a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb

Download Submit
memory/1880-54-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads