Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 03:17
Static task
static1
Behavioral task
behavioral1
Sample
9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe
Resource
win10v2004-20220901-en
General
-
Target
9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe
-
Size
136KB
-
MD5
3437e6ae0a6697335138426911ae3107
-
SHA1
27757d12a99515bbef12214fccb9c50434ad3204
-
SHA256
9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb
-
SHA512
86bb380807d086f41d5fd87de8d71ff7b32ed8c7fc6e5401ee151e9a10763605f6fe3e451af926631ec6fdb8de2e7d64dc13e89bd4308730736c2e6006677607
-
SSDEEP
3072:JVY5VeRIR51Qi34qc5TnnLHC/3dPUyQ525Y9fz2hcWC:JAeSfdkTnmvds525+2OL
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1052 DllHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1712 1636 9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe 27 PID 1636 wrote to memory of 1712 1636 9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe 27 PID 1636 wrote to memory of 1712 1636 9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe 27 PID 1636 wrote to memory of 1712 1636 9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe"C:\Users\Admin\AppData\Local\Temp\9d6f1a21b01426448b61f34db3261a272470e4a02b08b9276b0bdb4bfa8145fb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start C:\Users\Admin\AppData\Local\Temp\subfile.jpg2⤵PID:1712
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5301ef81dd5afb6ca5c0cfcf395bb3e37
SHA166d008310b80459fddfafe9c8d90324ab4e1fbc5
SHA256e20304b8efaa90e5622bd397bb4611598bd5593595811232d8b24a1e955e8347
SHA512e56ceed064a5c2aadbcb613780594bb11dcb7f41984e9553da85e2454ed24547b00fa6b0ee66296ad4b6595774df4c7501dbaf94f82219f0029c19fee5043531