Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 22:18
Static task
static1
Behavioral task
behavioral1
Sample
809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe
Resource
win7-20220414-en
General
-
Target
809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe
-
Size
5.3MB
-
MD5
b76babadb0dc8806052579b97e45f0ff
-
SHA1
2f7b7e70ac41d942c82976e13abc528788af2ae1
-
SHA256
809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1
-
SHA512
98604efeec79122f41c836be03f87166fcc0ea820613e8ea7b8d3bf40093d5dfc67015656532ad193b75f35a83eeff26810e81204eb2b09a1cf0f5749ae9560a
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mnkcix.exemnkcix.exepid process 1620 mnkcix.exe 1384 mnkcix.exe -
Loads dropped DLL 2 IoCs
Processes:
809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exepid process 2008 809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe 2008 809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mnkcix.exedescription pid process target process PID 1620 set thread context of 1384 1620 mnkcix.exe mnkcix.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exemnkcix.exedescription pid process target process PID 2008 wrote to memory of 1620 2008 809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe mnkcix.exe PID 2008 wrote to memory of 1620 2008 809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe mnkcix.exe PID 2008 wrote to memory of 1620 2008 809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe mnkcix.exe PID 2008 wrote to memory of 1620 2008 809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe mnkcix.exe PID 1620 wrote to memory of 1384 1620 mnkcix.exe mnkcix.exe PID 1620 wrote to memory of 1384 1620 mnkcix.exe mnkcix.exe PID 1620 wrote to memory of 1384 1620 mnkcix.exe mnkcix.exe PID 1620 wrote to memory of 1384 1620 mnkcix.exe mnkcix.exe PID 1620 wrote to memory of 1384 1620 mnkcix.exe mnkcix.exe PID 1620 wrote to memory of 1384 1620 mnkcix.exe mnkcix.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe"C:\Users\Admin\AppData\Local\Temp\809f720b347e0aa5f58c3a117129a76a19be445d5983892df7089c0e869c07c1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exe"C:\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exe"C:\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exeFilesize
1.9MB
MD595bd190834a2adf7f48e0ef1375aacc8
SHA1adc883c4793cb3ab09335e380cf99e23a3da55af
SHA2569e831a9512a6c11bd27850a9f472b426089822cbd9d693b15c65ee6a1a4b76bc
SHA512bf96679c4709388f9c37fd93d0991d91efa4b79dc8b6b7640020052e6441a16fd01e2b11f994cb7e804846865866aed9646d682980af7ed4081cc7d9349545e7
-
C:\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exeFilesize
1.9MB
MD595bd190834a2adf7f48e0ef1375aacc8
SHA1adc883c4793cb3ab09335e380cf99e23a3da55af
SHA2569e831a9512a6c11bd27850a9f472b426089822cbd9d693b15c65ee6a1a4b76bc
SHA512bf96679c4709388f9c37fd93d0991d91efa4b79dc8b6b7640020052e6441a16fd01e2b11f994cb7e804846865866aed9646d682980af7ed4081cc7d9349545e7
-
C:\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exeFilesize
1.9MB
MD595bd190834a2adf7f48e0ef1375aacc8
SHA1adc883c4793cb3ab09335e380cf99e23a3da55af
SHA2569e831a9512a6c11bd27850a9f472b426089822cbd9d693b15c65ee6a1a4b76bc
SHA512bf96679c4709388f9c37fd93d0991d91efa4b79dc8b6b7640020052e6441a16fd01e2b11f994cb7e804846865866aed9646d682980af7ed4081cc7d9349545e7
-
\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exeFilesize
1.9MB
MD595bd190834a2adf7f48e0ef1375aacc8
SHA1adc883c4793cb3ab09335e380cf99e23a3da55af
SHA2569e831a9512a6c11bd27850a9f472b426089822cbd9d693b15c65ee6a1a4b76bc
SHA512bf96679c4709388f9c37fd93d0991d91efa4b79dc8b6b7640020052e6441a16fd01e2b11f994cb7e804846865866aed9646d682980af7ed4081cc7d9349545e7
-
\ProgramData\cwf\CixMediaLektor\safe_media\LEQ\03421_kldvb\mnkcix.exeFilesize
1.9MB
MD595bd190834a2adf7f48e0ef1375aacc8
SHA1adc883c4793cb3ab09335e380cf99e23a3da55af
SHA2569e831a9512a6c11bd27850a9f472b426089822cbd9d693b15c65ee6a1a4b76bc
SHA512bf96679c4709388f9c37fd93d0991d91efa4b79dc8b6b7640020052e6441a16fd01e2b11f994cb7e804846865866aed9646d682980af7ed4081cc7d9349545e7
-
memory/1384-60-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1384-62-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1384-63-0x000000000040CD2F-mapping.dmp
-
memory/1620-57-0x0000000000000000-mapping.dmp
-
memory/2008-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmpFilesize
8KB