Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 01:07
Behavioral task
behavioral1
Sample
cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe
Resource
win10v2004-20220812-en
General
-
Target
cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe
-
Size
35KB
-
MD5
8af2119de15a51a7df22336bb212120c
-
SHA1
f2096fc4bde47303ae70555475b0cd04f3488ab3
-
SHA256
cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a
-
SHA512
d8d8706cefe5879dee7873f25c90cd69c8a64546a1288558362f7504324c47dcdad617d19904c41cf3b110bad7cafc0615072e9e2190b0510b8ba76f77eeefe4
-
SSDEEP
768:aHtMkeNmrfgevVkzkcVpKPybIhB+ZhL2VC1HprM8YJ:aOkIbh+sIOZhL2IpQb
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1280 CFDF1A~1.EXE 1416 winhost32.exe 844 winhost32.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ActiveX Key winhost32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ActiveX Key\StubPath = "C:\\Windows\\winhost32.exe" winhost32.exe -
resource yara_rule behavioral1/memory/1488-56-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1120 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1120 cmd.exe 1120 cmd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\w32_sysbm.bat cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe File created C:\Windows\winhost32.exe CFDF1A~1.EXE File opened for modification C:\Windows\winhost32.exe CFDF1A~1.EXE File created C:\Windows\w32_systm.exe cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 844 winhost32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1120 1488 cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe 27 PID 1488 wrote to memory of 1120 1488 cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe 27 PID 1488 wrote to memory of 1120 1488 cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe 27 PID 1488 wrote to memory of 1120 1488 cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe 27 PID 1120 wrote to memory of 1280 1120 cmd.exe 29 PID 1120 wrote to memory of 1280 1120 cmd.exe 29 PID 1120 wrote to memory of 1280 1120 cmd.exe 29 PID 1120 wrote to memory of 1280 1120 cmd.exe 29 PID 1280 wrote to memory of 1416 1280 CFDF1A~1.EXE 30 PID 1280 wrote to memory of 1416 1280 CFDF1A~1.EXE 30 PID 1280 wrote to memory of 1416 1280 CFDF1A~1.EXE 30 PID 1280 wrote to memory of 1416 1280 CFDF1A~1.EXE 30 PID 1416 wrote to memory of 844 1416 winhost32.exe 31 PID 1416 wrote to memory of 844 1416 winhost32.exe 31 PID 1416 wrote to memory of 844 1416 winhost32.exe 31 PID 1416 wrote to memory of 844 1416 winhost32.exe 31 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14 PID 844 wrote to memory of 1284 844 winhost32.exe 14
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe"C:\Users\Admin\AppData\Local\Temp\cfdf1aaae40f7b8ac7a06aaf37e7fa60b6b64169bc54ed00c0da0da23544f17a.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\w32_sysbm.bat" "3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\CFDF1A~1.EXEC:\Users\Admin\AppData\Local\Temp\CFDF1A~1.EXE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\winhost32.exe"C:\Windows\winhost32.exe" "C:\Users\Admin\AppData\Local\Temp\CFDF1A~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\winhost32.exe"C:\Windows\winhost32.exe" stm6⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:844
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD510a424a5ad51dec49cdc461fd759bb5e
SHA1784e68b8fdb64e7ff178c148a7a6f0b5853d8cb1
SHA256862f21f6bc7e6087931d93a209b40c452544e29b69d9687ea887243f493a8fc6
SHA5125e1529315418361bb55f0dcee33c32b015f62b14f25c4ba60479c972393bb56b885aba59243efca9605b695f7df0b44ea6b934da16d7d27611ee2c81fa5cfabc
-
Filesize
65KB
MD510a424a5ad51dec49cdc461fd759bb5e
SHA1784e68b8fdb64e7ff178c148a7a6f0b5853d8cb1
SHA256862f21f6bc7e6087931d93a209b40c452544e29b69d9687ea887243f493a8fc6
SHA5125e1529315418361bb55f0dcee33c32b015f62b14f25c4ba60479c972393bb56b885aba59243efca9605b695f7df0b44ea6b934da16d7d27611ee2c81fa5cfabc
-
Filesize
339B
MD5d012974c57a00774579e9e637d14cf69
SHA1272a17c7985918bf7c150f78b470d023a7f09993
SHA2566cabeeabb81d506dbe423aaf647d4243982ff45867b2f2c45254326e2e71f4e5
SHA512672b80d48d3006f92ee5319e3f80ff79f5f14c830868ad11caf4ad132c82fe7c83bce9964badd576dc48670936b3ad6039a84a731931297561b35a9ffd70381e
-
Filesize
65KB
MD510a424a5ad51dec49cdc461fd759bb5e
SHA1784e68b8fdb64e7ff178c148a7a6f0b5853d8cb1
SHA256862f21f6bc7e6087931d93a209b40c452544e29b69d9687ea887243f493a8fc6
SHA5125e1529315418361bb55f0dcee33c32b015f62b14f25c4ba60479c972393bb56b885aba59243efca9605b695f7df0b44ea6b934da16d7d27611ee2c81fa5cfabc
-
Filesize
65KB
MD510a424a5ad51dec49cdc461fd759bb5e
SHA1784e68b8fdb64e7ff178c148a7a6f0b5853d8cb1
SHA256862f21f6bc7e6087931d93a209b40c452544e29b69d9687ea887243f493a8fc6
SHA5125e1529315418361bb55f0dcee33c32b015f62b14f25c4ba60479c972393bb56b885aba59243efca9605b695f7df0b44ea6b934da16d7d27611ee2c81fa5cfabc
-
Filesize
65KB
MD510a424a5ad51dec49cdc461fd759bb5e
SHA1784e68b8fdb64e7ff178c148a7a6f0b5853d8cb1
SHA256862f21f6bc7e6087931d93a209b40c452544e29b69d9687ea887243f493a8fc6
SHA5125e1529315418361bb55f0dcee33c32b015f62b14f25c4ba60479c972393bb56b885aba59243efca9605b695f7df0b44ea6b934da16d7d27611ee2c81fa5cfabc
-
Filesize
65KB
MD510a424a5ad51dec49cdc461fd759bb5e
SHA1784e68b8fdb64e7ff178c148a7a6f0b5853d8cb1
SHA256862f21f6bc7e6087931d93a209b40c452544e29b69d9687ea887243f493a8fc6
SHA5125e1529315418361bb55f0dcee33c32b015f62b14f25c4ba60479c972393bb56b885aba59243efca9605b695f7df0b44ea6b934da16d7d27611ee2c81fa5cfabc
-
Filesize
65KB
MD510a424a5ad51dec49cdc461fd759bb5e
SHA1784e68b8fdb64e7ff178c148a7a6f0b5853d8cb1
SHA256862f21f6bc7e6087931d93a209b40c452544e29b69d9687ea887243f493a8fc6
SHA5125e1529315418361bb55f0dcee33c32b015f62b14f25c4ba60479c972393bb56b885aba59243efca9605b695f7df0b44ea6b934da16d7d27611ee2c81fa5cfabc
-
Filesize
65KB
MD510a424a5ad51dec49cdc461fd759bb5e
SHA1784e68b8fdb64e7ff178c148a7a6f0b5853d8cb1
SHA256862f21f6bc7e6087931d93a209b40c452544e29b69d9687ea887243f493a8fc6
SHA5125e1529315418361bb55f0dcee33c32b015f62b14f25c4ba60479c972393bb56b885aba59243efca9605b695f7df0b44ea6b934da16d7d27611ee2c81fa5cfabc