Analysis

  • max time kernel
    158s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 02:05

General

  • Target

    3ea7df0abcb4db2189b9ae42cbf85b2d4898d19c60046ab7264798750a1099fc.exe

  • Size

    156KB

  • MD5

    2c0cd89fc5d3e010dc5d69e310e2812e

  • SHA1

    37b62fbf843dc502bfa800be18763ecbc7c491cd

  • SHA256

    3ea7df0abcb4db2189b9ae42cbf85b2d4898d19c60046ab7264798750a1099fc

  • SHA512

    2c4a4fbad823e19087afe3edb7977e4b552db35bb885b5222f99965ed605dd76f9fafcc33144ab4f1c9cd9df83ef53f62ae23e6dd414300290540ffe50834c7e

  • SSDEEP

    1536:EZkumWuYPOBU8gRDGHPOGMmUbaxGAka+t/K9rCGaV9mw7Jqx8M+dzAbWQgRV7:VWuYAa4UbaxqkCGaVD7JqfKAbno7

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ea7df0abcb4db2189b9ae42cbf85b2d4898d19c60046ab7264798750a1099fc.exe
    "C:\Users\Admin\AppData\Local\Temp\3ea7df0abcb4db2189b9ae42cbf85b2d4898d19c60046ab7264798750a1099fc.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\hrwiug.exe
      "C:\Users\Admin\hrwiug.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\hrwiug.exe

    Filesize

    156KB

    MD5

    fc1227b4619cde3debe29997186d4aa1

    SHA1

    48ee4746ba3046466d79b25bebd5bfef95ade004

    SHA256

    a7fe04e974c467d1dbb659bbbcb194c32b4a4e0385df8eb5409c11927ab9452f

    SHA512

    78d97b31329dbf6eb970e3441c93cdc9c5d9b2c39377808896d0efd3e36781031c8b81b5a3d74525cf8df46a8c073def30fc63d5aacc660c795e1c5642518190

  • C:\Users\Admin\hrwiug.exe

    Filesize

    156KB

    MD5

    fc1227b4619cde3debe29997186d4aa1

    SHA1

    48ee4746ba3046466d79b25bebd5bfef95ade004

    SHA256

    a7fe04e974c467d1dbb659bbbcb194c32b4a4e0385df8eb5409c11927ab9452f

    SHA512

    78d97b31329dbf6eb970e3441c93cdc9c5d9b2c39377808896d0efd3e36781031c8b81b5a3d74525cf8df46a8c073def30fc63d5aacc660c795e1c5642518190

  • \Users\Admin\hrwiug.exe

    Filesize

    156KB

    MD5

    fc1227b4619cde3debe29997186d4aa1

    SHA1

    48ee4746ba3046466d79b25bebd5bfef95ade004

    SHA256

    a7fe04e974c467d1dbb659bbbcb194c32b4a4e0385df8eb5409c11927ab9452f

    SHA512

    78d97b31329dbf6eb970e3441c93cdc9c5d9b2c39377808896d0efd3e36781031c8b81b5a3d74525cf8df46a8c073def30fc63d5aacc660c795e1c5642518190

  • \Users\Admin\hrwiug.exe

    Filesize

    156KB

    MD5

    fc1227b4619cde3debe29997186d4aa1

    SHA1

    48ee4746ba3046466d79b25bebd5bfef95ade004

    SHA256

    a7fe04e974c467d1dbb659bbbcb194c32b4a4e0385df8eb5409c11927ab9452f

    SHA512

    78d97b31329dbf6eb970e3441c93cdc9c5d9b2c39377808896d0efd3e36781031c8b81b5a3d74525cf8df46a8c073def30fc63d5aacc660c795e1c5642518190

  • memory/1724-59-0x0000000000000000-mapping.dmp

  • memory/1956-56-0x00000000762F1000-0x00000000762F3000-memory.dmp

    Filesize

    8KB