Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 04:41
Static task
static1
Behavioral task
behavioral1
Sample
74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe
Resource
win10v2004-20220721-en
General
-
Target
74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe
-
Size
1.7MB
-
MD5
8f94bc5cacfd1fbfcb09a94958adfd1d
-
SHA1
3930dbb9a0d13331acfb232a39aae879d4a3437c
-
SHA256
74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6
-
SHA512
c5e3bcdf679789bba2bdab1fc0bd3da91e4e9f4a2ad8c4d7ce12594631e8cf4a44002d954b52a907d28028f5870b871b59cc4cbcb0f6ec6e0e19a331a29010bd
Malware Config
Signatures
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Executes dropped EXE 1 IoCs
Processes:
mls.exepid process 980 mls.exe -
Loads dropped DLL 1 IoCs
Processes:
74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exepid process 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exemls.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s" 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcsc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RAC\\svcsc.exe" mls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1896 AcroRd32.exe 1896 AcroRd32.exe 1896 AcroRd32.exe 1896 AcroRd32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exedescription pid process target process PID 1488 wrote to memory of 1896 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe AcroRd32.exe PID 1488 wrote to memory of 1896 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe AcroRd32.exe PID 1488 wrote to memory of 1896 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe AcroRd32.exe PID 1488 wrote to memory of 1896 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe AcroRd32.exe PID 1488 wrote to memory of 980 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe mls.exe PID 1488 wrote to memory of 980 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe mls.exe PID 1488 wrote to memory of 980 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe mls.exe PID 1488 wrote to memory of 980 1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe mls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe"C:\Users\Admin\AppData\Local\Temp\74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.pdf"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\RAC\mls.exe"C:\Users\Admin\AppData\Roaming\RAC\mls.exe" -s2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.pdfFilesize
158KB
MD54f5e97da89da8677e7e45dbc931ec882
SHA1fe563c1a83835880eaab9a8446fefc13a0c601f2
SHA256cd273ab762a215098f8199a7409c5e240659935c01acb8c6cddd4f685093c964
SHA512a75cf750d484164d59a818ee267c0f937220a271ff72d3bdbd8c1418ec5f1265b75d944476b52269e6bdad531a6a5fd80dd96dde1bbcd67f6a26f2d2773a209b
-
C:\Users\Admin\AppData\Roaming\RAC\mls.exeFilesize
1.6MB
MD51ebb1216c11c725ecced04a394ba0f07
SHA11298e27b6cccc9ffc671fad4fbbe5f74675017d3
SHA25692cfb01452d35687f10b203475475f7513dddf21e07dcb8b9af512f2caef183e
SHA51281fd1a4b0386ffb51786222967986cc0b0e863606fd29813031cece4ab9534270fe224b1614823372907625c0ae000cc0ad083ab8619315ae9586845f2b563bd
-
\Users\Admin\AppData\Roaming\RAC\mls.exeFilesize
1.6MB
MD51ebb1216c11c725ecced04a394ba0f07
SHA11298e27b6cccc9ffc671fad4fbbe5f74675017d3
SHA25692cfb01452d35687f10b203475475f7513dddf21e07dcb8b9af512f2caef183e
SHA51281fd1a4b0386ffb51786222967986cc0b0e863606fd29813031cece4ab9534270fe224b1614823372907625c0ae000cc0ad083ab8619315ae9586845f2b563bd
-
memory/980-58-0x0000000000000000-mapping.dmp
-
memory/1488-54-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1896-55-0x0000000000000000-mapping.dmp