Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 02:24
Behavioral task
behavioral1
Sample
0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe
Resource
win10v2004-20220721-en
General
-
Target
0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe
-
Size
3.2MB
-
MD5
51eb93aaca0e50e7623ab67c61d1b1fb
-
SHA1
c862db8b0d8a15b02e3cb3296aa618c46edc822b
-
SHA256
0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901
-
SHA512
e31728d6b1fd9781a0d29840d054b6e3f1869db40b185d74b8f2e4fbea526b712e3ee614784fba9ccf78d532ea3640885ee5b0e1a2793aa27da9dbea6d99af0a
Malware Config
Signatures
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Executes dropped EXE 1 IoCs
Processes:
mls.exepid process 1648 mls.exe -
Loads dropped DLL 1 IoCs
Processes:
0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exepid process 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exemls.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s" 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcsc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RAC\\svcsc.exe" mls.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1584 AcroRd32.exe 1584 AcroRd32.exe 1584 AcroRd32.exe 1584 AcroRd32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exedescription pid process target process PID 1988 wrote to memory of 1584 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe AcroRd32.exe PID 1988 wrote to memory of 1584 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe AcroRd32.exe PID 1988 wrote to memory of 1584 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe AcroRd32.exe PID 1988 wrote to memory of 1584 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe AcroRd32.exe PID 1988 wrote to memory of 1648 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe mls.exe PID 1988 wrote to memory of 1648 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe mls.exe PID 1988 wrote to memory of 1648 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe mls.exe PID 1988 wrote to memory of 1648 1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe mls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe"C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.pdf"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\RAC\mls.exe"C:\Users\Admin\AppData\Roaming\RAC\mls.exe" -s2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.pdfFilesize
1.7MB
MD58b6df81f3786a6d953986f95ed6eb3ac
SHA132ef98d46e69b15b62f1af0e8b8b5e9f6362d51c
SHA256ae0ce574fa65c41406cdd8e438d65d5dd20db03ba49628f1eb51da4d6392f1c6
SHA512e87322ac540067e47f4f08794fb0d3d153f8147398354eb1b2f6385a8eda04133d6d1b119c12814895df99a2a4ab3cc28d4b7d302e6195a5863408a14e0e2876
-
C:\Users\Admin\AppData\Roaming\RAC\mls.exeFilesize
1.6MB
MD51ebb1216c11c725ecced04a394ba0f07
SHA11298e27b6cccc9ffc671fad4fbbe5f74675017d3
SHA25692cfb01452d35687f10b203475475f7513dddf21e07dcb8b9af512f2caef183e
SHA51281fd1a4b0386ffb51786222967986cc0b0e863606fd29813031cece4ab9534270fe224b1614823372907625c0ae000cc0ad083ab8619315ae9586845f2b563bd
-
\Users\Admin\AppData\Roaming\RAC\mls.exeFilesize
1.6MB
MD51ebb1216c11c725ecced04a394ba0f07
SHA11298e27b6cccc9ffc671fad4fbbe5f74675017d3
SHA25692cfb01452d35687f10b203475475f7513dddf21e07dcb8b9af512f2caef183e
SHA51281fd1a4b0386ffb51786222967986cc0b0e863606fd29813031cece4ab9534270fe224b1614823372907625c0ae000cc0ad083ab8619315ae9586845f2b563bd
-
memory/1584-55-0x0000000000000000-mapping.dmp
-
memory/1648-58-0x0000000000000000-mapping.dmp
-
memory/1988-54-0x0000000075731000-0x0000000075733000-memory.dmpFilesize
8KB