Analysis

  • max time kernel
    119s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 00:59

General

  • Target

    55d785129f3dfd02438a2cffa5625575484146af3c290e4939218185596c13b5.exe

  • Size

    95KB

  • MD5

    16071c37dbf1f60aec45dcc15743f6e3

  • SHA1

    8b721e24288ad0a788dd2c683f1e57dc67ea1bed

  • SHA256

    55d785129f3dfd02438a2cffa5625575484146af3c290e4939218185596c13b5

  • SHA512

    25da3566fac8ed030b8e882c22afb01bdc3cd6e8d29c0d17b9387efddf0f81d0d2bb06963136816cbac609e94f625c712cbad6caad6707583368b252b91c3de6

  • SSDEEP

    1536:EpgpHzb9dZVX9fHMvG0D3XJ3B/f2gUBglcADKd56zAmxFGlbJUcFJVKM5aUrr:ygXdZt9P6D3XJ3JOgkjADKd5H+FkFJnD

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55d785129f3dfd02438a2cffa5625575484146af3c290e4939218185596c13b5.exe
    "C:\Users\Admin\AppData\Local\Temp\55d785129f3dfd02438a2cffa5625575484146af3c290e4939218185596c13b5.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk31.icw"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWow64\WScript.exe
        "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk31.icw"
        3⤵
          PID:1764
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1912
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:928

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\EditPlus\kk31.icw

      Filesize

      132B

      MD5

      680d4f1a3232585e2e7fb3a52813f84d

      SHA1

      7f4dd536a6cb2ffbb738d7ee49dffe28f030af24

      SHA256

      d1be6c7a3743f1bab0a67fb89da988e4357fa32478ea6cb75dd9ab8261f1801a

      SHA512

      888eedc4907fe636361cfcd498205bb04e8af728a5f096d333460ba8939e61afcddfc3b16e51a32373e5120b42d1fe4495a281d64700fb71c8e8075e86917e98

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5R5ACNUP.txt

      Filesize

      608B

      MD5

      1948d88353abc9f03d56af149dd99a17

      SHA1

      e9a4ec41e7e8f1e8ef6cbc4507b86b82840b464c

      SHA256

      a208d5f7ca1e8ba990f5af7b6b25d7e9551df5bc725300dd902c695c5df5fe96

      SHA512

      1e3ceba29e4536c2fa4e732d6572f5db919d09f71a1f6f1bfbf3e8e7b5c50c84748e614a77227c733f9804c75d57c225ef9870c31442b289d061bb63bf9c8cd7

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe

      Filesize

      44KB

      MD5

      7c30927884213f4fe91bbe90b591b762

      SHA1

      65693828963f6b6a5cbea4c9e595e06f85490f6f

      SHA256

      9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

      SHA512

      8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk31.icw

      Filesize

      742B

      MD5

      f735c2d1e7c8f24a86e48b9e45a61b24

      SHA1

      42c53fcd79b4078b8742e9b29e88d87f8384830f

      SHA256

      97a2e076424949b5bb26e4818548be6507f78ba4d3ede5dbfb42f61b6973a979

      SHA512

      495abc7d36400651d4c004bf521a1715880f64ac892e3206fb8100eddf15167d711a5a6b29e66a3ec013c4f6f95fbb13ca25889615c66fee4a07f03ef31cdb28

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll

      Filesize

      80KB

      MD5

      d2a43490acc2c80d87139db0dedb537e

      SHA1

      8f36e5865a03511b04961692af6053ce4365db96

      SHA256

      b9e841ae979cff45a71df03cdc18a7908cc36a79d2aa72896714248be818644d

      SHA512

      d8b3382755848e0b53b785054effd034546eb5919b4c1f248de484a56342ebe5d62a2ff3f4629e72361e32bad0cee179d5eaedaf9508e106ef74740413197a34

    • \Users\Admin\AppData\Local\Temp\nsyED0F.tmp\System.dll

      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • \Users\Admin\AppData\Local\Temp\nsyED0F.tmp\nsExec.dll

      Filesize

      6KB

      MD5

      acc2b699edfea5bf5aae45aba3a41e96

      SHA1

      d2accf4d494e43ceb2cff69abe4dd17147d29cc2

      SHA256

      168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

      SHA512

      e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe

      Filesize

      44KB

      MD5

      7c30927884213f4fe91bbe90b591b762

      SHA1

      65693828963f6b6a5cbea4c9e595e06f85490f6f

      SHA256

      9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

      SHA512

      8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll

      Filesize

      80KB

      MD5

      d2a43490acc2c80d87139db0dedb537e

      SHA1

      8f36e5865a03511b04961692af6053ce4365db96

      SHA256

      b9e841ae979cff45a71df03cdc18a7908cc36a79d2aa72896714248be818644d

      SHA512

      d8b3382755848e0b53b785054effd034546eb5919b4c1f248de484a56342ebe5d62a2ff3f4629e72361e32bad0cee179d5eaedaf9508e106ef74740413197a34

    • memory/1620-57-0x0000000000000000-mapping.dmp

    • memory/1764-60-0x0000000000000000-mapping.dmp

    • memory/1912-64-0x0000000000000000-mapping.dmp

    • memory/2000-54-0x0000000075501000-0x0000000075503000-memory.dmp

      Filesize

      8KB