9ad06b0e000800a33d381949658dbd0bfd7c7f1025aa5c81621b55f2f69a7a3f

Analysis

max time kernel
44s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-05-2022 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87953bdf18ba88061cf28ad17116b56f.exe
Size

1.9MB
MD5

87953bdf18ba88061cf28ad17116b56f
SHA1

bc04b30d0e7ca0fc34b1d507ab4b991e0cc5dbc6
SHA256

9ad06b0e000800a33d381949658dbd0bfd7c7f1025aa5c81621b55f2f69a7a3f
SHA512

19d8520c62da97a0a793c1f9eb17ae5865ea3d6d9e4734ac5e4069c864f52fccf06d5961c136095c73e7ee6c3ce1e9ae0038f32e8941f5aa2599327111b386c3

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1248 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1248	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

87953bdf18ba88061cf28ad17116b56f.exe

description	pid	process	target process
PID 1452 wrote to memory of 1248	1452	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe
PID 1452 wrote to memory of 1248	1452	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe
PID 1452 wrote to memory of 1248	1452	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe
PID 1452 wrote to memory of 1248	1452	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe
PID 1452 wrote to memory of 1248	1452	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe
PID 1452 wrote to memory of 1248	1452	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe
PID 1452 wrote to memory of 1248	1452	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\87953bdf18ba88061cf28ad17116b56f.exe
"C:\Users\Admin\AppData\Local\Temp\87953bdf18ba88061cf28ad17116b56f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /U /S V8NgH.K
2⤵
- Loads dropped DLL
PID:1248

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V8NgH.K
Filesize
682.8MB

MD5
dec75150ae1a88326cfbba1ad4d90345

SHA1
65b35717ab19045a80017968c353880aa01fe08f

SHA256
346f5d0021dbd8ffeb55fb83e6841c6442c8720c615cba5b9b2e469d1306d6b7

SHA512
3d319e1438b1af5900df98dc05e443d0bfb8e0a008d0e145a430fb0c8dfd0fe9864da94f9c4ed3194633daf7ca6fb1aef71ffda8b8fc64e962050808a7d35ebd

Download Submit
\Users\Admin\AppData\Local\Temp\v8NgH.K
Filesize
682.8MB

MD5
dec75150ae1a88326cfbba1ad4d90345

SHA1
65b35717ab19045a80017968c353880aa01fe08f

SHA256
346f5d0021dbd8ffeb55fb83e6841c6442c8720c615cba5b9b2e469d1306d6b7

SHA512
3d319e1438b1af5900df98dc05e443d0bfb8e0a008d0e145a430fb0c8dfd0fe9864da94f9c4ed3194633daf7ca6fb1aef71ffda8b8fc64e962050808a7d35ebd

Download Submit
memory/1248-55-0x0000000000000000-mapping.dmp

Download
memory/1248-59-0x0000000001F90000-0x0000000002F90000-memory.dmp

Filesize
16.0MB

Download
memory/1248-60-0x000000002DA30000-0x000000002DB0F000-memory.dmp

Filesize
892KB

Download
memory/1248-61-0x000000002D000000-0x000000002D0BB000-memory.dmp

Filesize
748KB

Download
memory/1248-62-0x000000002DB10000-0x000000002DBC4000-memory.dmp

Filesize
720KB

Download
memory/1248-63-0x0000000000710000-0x00000000007B0000-memory.dmp

Filesize
640KB

Download
memory/1452-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download