bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 00:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe
Size

672KB
MD5

b104c3458fea02aa2f338e6216dec01f
SHA1

4c337125f346ebbb0db5b068a90896d766d20dc1
SHA256

bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9
SHA512

e718c9a54af3faf07a784ac621658a57f3ad94e59e7d5356ed0875cf63111727bca4f5bce0d35327c3a48fbe68e03719205f990ac2f3c7719b4dd6c87f5d1b75
SSDEEP

12288:HBePiYJjSsl5jQIFbUu9cIOhLA25m++sVWHYeqrkn13ugfHYO:hePdNl5j5b99cIOCpSWHYvknpfH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1380	decrypted.exe

Loads dropped DLL 2 IoCs

pid	Process
988	bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe
988	bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
988	bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 1380	988	bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe	27
PID 988 wrote to memory of 1380	988	bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe	27
PID 988 wrote to memory of 1380	988	bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe	27
PID 988 wrote to memory of 1380	988	bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe	27

C:\Users\Admin\AppData\Local\Temp\bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe
"C:\Users\Admin\AppData\Local\Temp\bd1ee18de779ab73af5b769c9527a787932a88307d0e828ff9ec37ec75bd87a9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988
- C:\Users\Admin\AppData\Local\Temp\decrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
  2⤵
  - Executes dropped EXE
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
583KB

MD5
3293003b97300cc0dd0407380b26388d

SHA1
dd6f995825161fac112665e7bd6e5986d6467654

SHA256
0fa22ebdca7fb34e20de8fe1639016038dbfca42986354f619458bfd5853ce00

SHA512
e1a9a55984e735b14e80afed6cff230289add977b8b21d4f8676fb81a4e84c56da2999c5a4a794cd0800a43305c700ad689d0239f23a9c3770b0b9d4d4e22e2c

Download Submit
\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
583KB

MD5
3293003b97300cc0dd0407380b26388d

SHA1
dd6f995825161fac112665e7bd6e5986d6467654

SHA256
0fa22ebdca7fb34e20de8fe1639016038dbfca42986354f619458bfd5853ce00

SHA512
e1a9a55984e735b14e80afed6cff230289add977b8b21d4f8676fb81a4e84c56da2999c5a4a794cd0800a43305c700ad689d0239f23a9c3770b0b9d4d4e22e2c

Download Submit
\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
583KB

MD5
3293003b97300cc0dd0407380b26388d

SHA1
dd6f995825161fac112665e7bd6e5986d6467654

SHA256
0fa22ebdca7fb34e20de8fe1639016038dbfca42986354f619458bfd5853ce00

SHA512
e1a9a55984e735b14e80afed6cff230289add977b8b21d4f8676fb81a4e84c56da2999c5a4a794cd0800a43305c700ad689d0239f23a9c3770b0b9d4d4e22e2c

Download Submit
memory/988-56-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download