48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-07-2022 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
Size

216KB
MD5

670497e6310600fe3149d128946cf9df
SHA1

82a807efec4d2751e0834f5605e13001c6450841
SHA256

48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e
SHA512

4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1788	spoolsv.exe
1136	spoolsv.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs	spoolsv.exe

Loads dropped DLL 3 IoCs

pid	Process
1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
1788	spoolsv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1788 set thread context of 1136	1788	spoolsv.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
1788	spoolsv.exe
1136	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1272 wrote to memory of 1636	1272	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	28
PID 1636 wrote to memory of 1788	1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	30
PID 1636 wrote to memory of 1788	1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	30
PID 1636 wrote to memory of 1788	1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	30
PID 1636 wrote to memory of 1788	1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	30
PID 1636 wrote to memory of 1572	1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	31
PID 1636 wrote to memory of 1572	1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	31
PID 1636 wrote to memory of 1572	1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	31
PID 1636 wrote to memory of 1572	1636	48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe	31
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33
PID 1788 wrote to memory of 1136	1788	spoolsv.exe	33

C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
"C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe
  "C:\Users\Admin\AppData\Local\Temp\48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe
    C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe
      C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\A4C53E67.cmd
    3⤵
    PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A4C53E67.cmd

Filesize
170B

MD5
4414617ebfbe9b746f303ab2beda9181

SHA1
a36ba204774113d095d94e3a472e1d61e670641f

SHA256
d8f910880e7f21875cc60167eeb8884a65b55058e86a71be344d1eb43cf8191e

SHA512
461b4d15149d77871952c421267d3247db3b3dda9a202789cb216e7bfae28aaa771b012c76154a256c36b233492551d89d6d72ad5edfe32e1e55831270e1ecf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs

Filesize
384B

MD5
824a719d4a5cce2f0603e9bd63bae64c

SHA1
381ea9689a1ca092dfa375f160bc269adde97f8d

SHA256
addece724ab9ff11addbf757c3f26b3499f1a372f391d67a04514a93ad8699ac

SHA512
8ef76ca77c9a970b7f33afb761d310587412dc8e411259422ca227faac5e51db8da87592545d5e8a10623ed26f1e51d43ae8d2cd471deffb4ca43e8a9832eb3e

Download Submit
C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\spoolsv.exe

Filesize
216KB

MD5
670497e6310600fe3149d128946cf9df

SHA1
82a807efec4d2751e0834f5605e13001c6450841

SHA256
48357e221b1e06c02805694894b00da3042087d2144f303f11e1ca8a3e5e701e

SHA512
4a631b40b65622206ed7f8afebab255f33d54486b377f33c428ddda98f6e1a27bed003c021fae06faafe5df063f835f4f9ddb194d89966eae2447e53e6c32090

Download Submit
memory/1136-96-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1136-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1272-57-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1272-56-0x00000000002B0000-0x00000000002C5000-memory.dmp

Filesize
84KB

Download
memory/1272-60-0x00000000002B0000-0x00000000002C5000-memory.dmp

Filesize
84KB

Download
memory/1636-70-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1636-62-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1636-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1636-80-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1636-59-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1636-66-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1636-68-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1636-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1636-71-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1636-88-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download
memory/1636-90-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/1636-89-0x0000000000400000-0x000000000041024F-memory.dmp

Filesize
64KB

Download
memory/1636-69-0x0000000000401000-0x0000000000411000-memory.dmp

Filesize
64KB

Download