321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b

Analysis

max time kernel
38s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe
Size

528KB
MD5

021036ddba0dd176450dee2bf9bc78be
SHA1

480b3dd332cc50690b34bc95a787b5550e7b0b1f
SHA256

321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b
SHA512

679528231ff9f2d258abfdbc26c8a7f9d92792186c7c233ec3bdce33659a4ab699034d3f147f9a7a622ea648201916961ea99a79f0e36ff065125f3c5fc22222

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1624	file.sfx.exe
1664	file.exe

Loads dropped DLL 7 IoCs

pid	Process
1980	cmd.exe
1624	file.sfx.exe
1624	file.sfx.exe
1624	file.sfx.exe
1624	file.sfx.exe
296	dw20.exe
296	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1980	624	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe	28
PID 624 wrote to memory of 1980	624	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe	28
PID 624 wrote to memory of 1980	624	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe	28
PID 624 wrote to memory of 1980	624	321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe	28
PID 1980 wrote to memory of 1624	1980	cmd.exe	30
PID 1980 wrote to memory of 1624	1980	cmd.exe	30
PID 1980 wrote to memory of 1624	1980	cmd.exe	30
PID 1980 wrote to memory of 1624	1980	cmd.exe	30
PID 1624 wrote to memory of 1664	1624	file.sfx.exe	31
PID 1624 wrote to memory of 1664	1624	file.sfx.exe	31
PID 1624 wrote to memory of 1664	1624	file.sfx.exe	31
PID 1624 wrote to memory of 1664	1624	file.sfx.exe	31
PID 1664 wrote to memory of 296	1664	file.exe	33
PID 1664 wrote to memory of 296	1664	file.exe	33
PID 1664 wrote to memory of 296	1664	file.exe	33
PID 1664 wrote to memory of 296	1664	file.exe	33

C:\Users\Admin\AppData\Local\Temp\321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe
"C:\Users\Admin\AppData\Local\Temp\321d6b3381a565dc5723f27609b7cd9534e6e547aecf1ddc412314612038586b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.sfx.exe
    file.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 748
        5⤵
        Loads dropped DLL
        
        PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.sfx.exe

Filesize
421KB

MD5
2ae23c73c42d6ca1edd5079a8f79d201

SHA1
7d05177655dc45ee1d42f71eb74c7b25c673d045

SHA256
abed5db3fa500dac15f4bc593d63c40e1675b07a8495c045c226554d4e3c432d

SHA512
28a36f08af19e82ae15672a538e419dc6e8c4be17827970e9e018e3b201db27c56af29deced3a6881924d522f3083476427ec501a212be16725e0dedefeb0c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.sfx.exe

Filesize
421KB

MD5
2ae23c73c42d6ca1edd5079a8f79d201

SHA1
7d05177655dc45ee1d42f71eb74c7b25c673d045

SHA256
abed5db3fa500dac15f4bc593d63c40e1675b07a8495c045c226554d4e3c432d

SHA512
28a36f08af19e82ae15672a538e419dc6e8c4be17827970e9e018e3b201db27c56af29deced3a6881924d522f3083476427ec501a212be16725e0dedefeb0c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat

Filesize
27B

MD5
b6bf10ab968bbd2f09a2fc4101270792

SHA1
cf44ad7212810afdaa3b14e372266e98479eb265

SHA256
f1aaf3772de986179160ed31976d1eda0ba756883378a97ab56b17e3c99b5864

SHA512
ebc36b8601f77863eb954ca2a4c5435d45a37a6852146b86be9f5c8803387837313c9724f58d8f2fd8c72dbac992cd0200fdaba71cb25bac225e3c4c92cbf0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.sfx.exe

Filesize
421KB

MD5
2ae23c73c42d6ca1edd5079a8f79d201

SHA1
7d05177655dc45ee1d42f71eb74c7b25c673d045

SHA256
abed5db3fa500dac15f4bc593d63c40e1675b07a8495c045c226554d4e3c432d

SHA512
28a36f08af19e82ae15672a538e419dc6e8c4be17827970e9e018e3b201db27c56af29deced3a6881924d522f3083476427ec501a212be16725e0dedefeb0c63

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe

Filesize
317KB

MD5
e8287544aae935fee36555cf492f48a7

SHA1
fe3ca2efc08fa5400d409febfcb2f7be745b452f

SHA256
351ab0e5f6f8925cd6adb8ca667d2c12eced771e5e09a7f64981d82a177153d0

SHA512
85f0feb2ee75ad4b1eddbfb38e1ba88187be3a231c0da99486a99143f264ba1ce3c6579ee10f09001f93b1d31d962cfcd41f80ae513a9e09d854d38f4e2e13b6

Download Submit
memory/624-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/1664-70-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-75-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download