50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d

Analysis

max time kernel
39s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe
Size

2.6MB
MD5

69a1029631fcc63e9c2a5d7bcf9e5853
SHA1

fa324e011e75026186217c1140cd8c0b816abea4
SHA256

50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d
SHA512

aef67446906ab48f72f6b2ef1d8347c07090d4c0319f2156abb94763f6ff2d45856486ec235d5e619394c7fb7ed48ef5df7cb7350e7dbb6a568f272794577100
SSDEEP

49152:RmVkBJmTS2jVeesDRgyDkeXT7Bim2AAA9MGR95Y0urq7kCCPEa0TZbVd22frPmkd:RqkcS2jVeesD2iXT7km2AAAJPYrpCCM3

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1200	sexyss55.exe_tmp.exe
968	rkverify.exe

Loads dropped DLL 5 IoCs

pid	Process
1760	50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe
1200	sexyss55.exe_tmp.exe
1200	sexyss55.exe_tmp.exe
968	rkverify.exe
1200	sexyss55.exe_tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Julia Stiles Sex-E Screensaver Uninstaller.exe	50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
968	rkverify.exe
968	rkverify.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
968	rkverify.exe
968	rkverify.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1200	1760	50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe	27
PID 1760 wrote to memory of 1200	1760	50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe	27
PID 1760 wrote to memory of 1200	1760	50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe	27
PID 1760 wrote to memory of 1200	1760	50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe	27
PID 1200 wrote to memory of 968	1200	sexyss55.exe_tmp.exe	28
PID 1200 wrote to memory of 968	1200	sexyss55.exe_tmp.exe	28
PID 1200 wrote to memory of 968	1200	sexyss55.exe_tmp.exe	28
PID 1200 wrote to memory of 968	1200	sexyss55.exe_tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe
"C:\Users\Admin\AppData\Local\Temp\50e6402bb5edb1e6f2d6cdce36bf8ebff7049484ea494f1f0427fec22be4c30d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\inst7085534\installer\sexyss55.exe_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\inst7085534\installer\sexyss55.exe_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\rkverify.exe
    "C:\Users\Admin\AppData\Local\Temp\rkverify.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CSM25AB.tmp

Filesize
144KB

MD5
83bacd2c634b541dd1e7ded3cf5f5ff7

SHA1
486e20514e6f1873f993cab5aac72a0c218f082a

SHA256
08a8ca457ee40ede686d7547b05718c581e78437f8535efe2384a5ac8ff01e69

SHA512
bed964971d3ca0c6dc1b91861dd31fe8f463878acfdb42a7cd1f61dfbc948f294c6e7e4ad3f10c65be52d273c5125cfef24a609cd39af40b5d06270ffd644f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst7085534\installer\sexyss55.exe_tmp.exe

Filesize
2.2MB

MD5
806568442b4af8d23b737cf5efbce6c9

SHA1
55c77ba26b350178a6c4642aac3f563445d67f6b

SHA256
76fdfb6571d77c5b6ad57334a7ebead500362a51b60b57921f988434b5b3c07a

SHA512
4933c7631f1c48af86657b6f92c9e333e7a441c9480ff1bc5ec07e2504ed586b82ad4dc1e1df7c10b5404a83f63a2ea857fdc0ee2abdf98471643302cd72f68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst7085534\installer\sexyss55.exe_tmp.exe

Filesize
2.2MB

MD5
806568442b4af8d23b737cf5efbce6c9

SHA1
55c77ba26b350178a6c4642aac3f563445d67f6b

SHA256
76fdfb6571d77c5b6ad57334a7ebead500362a51b60b57921f988434b5b3c07a

SHA512
4933c7631f1c48af86657b6f92c9e333e7a441c9480ff1bc5ec07e2504ed586b82ad4dc1e1df7c10b5404a83f63a2ea857fdc0ee2abdf98471643302cd72f68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkverify.exe

Filesize
228KB

MD5
37ff45a5063985fbeeac98aff61890a3

SHA1
07b003ec81c3e76149acd4cfcf03c7f3154c4726

SHA256
a549593a1eea91283dad3962699d46b78a81ba740612dcb6faa2acca85dd889e

SHA512
e7af7f55c5c50e3a6774310a460e0bd87e3059fa25995203875e4617fdb209fc71b107386275f5f783cd31e3adf5875274ce3d8a4e721300e5adb38a1c87fefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkverify.exe

Filesize
228KB

MD5
37ff45a5063985fbeeac98aff61890a3

SHA1
07b003ec81c3e76149acd4cfcf03c7f3154c4726

SHA256
a549593a1eea91283dad3962699d46b78a81ba740612dcb6faa2acca85dd889e

SHA512
e7af7f55c5c50e3a6774310a460e0bd87e3059fa25995203875e4617fdb209fc71b107386275f5f783cd31e3adf5875274ce3d8a4e721300e5adb38a1c87fefb

Download Submit
\Users\Admin\AppData\Local\Temp\CSM25AB.tmp

Filesize
144KB

MD5
83bacd2c634b541dd1e7ded3cf5f5ff7

SHA1
486e20514e6f1873f993cab5aac72a0c218f082a

SHA256
08a8ca457ee40ede686d7547b05718c581e78437f8535efe2384a5ac8ff01e69

SHA512
bed964971d3ca0c6dc1b91861dd31fe8f463878acfdb42a7cd1f61dfbc948f294c6e7e4ad3f10c65be52d273c5125cfef24a609cd39af40b5d06270ffd644f0d

Download Submit
\Users\Admin\AppData\Local\Temp\CSM25AB.tmp

Filesize
144KB

MD5
83bacd2c634b541dd1e7ded3cf5f5ff7

SHA1
486e20514e6f1873f993cab5aac72a0c218f082a

SHA256
08a8ca457ee40ede686d7547b05718c581e78437f8535efe2384a5ac8ff01e69

SHA512
bed964971d3ca0c6dc1b91861dd31fe8f463878acfdb42a7cd1f61dfbc948f294c6e7e4ad3f10c65be52d273c5125cfef24a609cd39af40b5d06270ffd644f0d

Download Submit
\Users\Admin\AppData\Local\Temp\inst7085534\installer\sexyss55.exe_tmp.exe

Filesize
2.2MB

MD5
806568442b4af8d23b737cf5efbce6c9

SHA1
55c77ba26b350178a6c4642aac3f563445d67f6b

SHA256
76fdfb6571d77c5b6ad57334a7ebead500362a51b60b57921f988434b5b3c07a

SHA512
4933c7631f1c48af86657b6f92c9e333e7a441c9480ff1bc5ec07e2504ed586b82ad4dc1e1df7c10b5404a83f63a2ea857fdc0ee2abdf98471643302cd72f68b

Download Submit
\Users\Admin\AppData\Local\Temp\rkverify.exe

Filesize
228KB

MD5
37ff45a5063985fbeeac98aff61890a3

SHA1
07b003ec81c3e76149acd4cfcf03c7f3154c4726

SHA256
a549593a1eea91283dad3962699d46b78a81ba740612dcb6faa2acca85dd889e

SHA512
e7af7f55c5c50e3a6774310a460e0bd87e3059fa25995203875e4617fdb209fc71b107386275f5f783cd31e3adf5875274ce3d8a4e721300e5adb38a1c87fefb

Download Submit
\Users\Admin\AppData\Local\Temp\rkverify.exe

Filesize
228KB

MD5
37ff45a5063985fbeeac98aff61890a3

SHA1
07b003ec81c3e76149acd4cfcf03c7f3154c4726

SHA256
a549593a1eea91283dad3962699d46b78a81ba740612dcb6faa2acca85dd889e

SHA512
e7af7f55c5c50e3a6774310a460e0bd87e3059fa25995203875e4617fdb209fc71b107386275f5f783cd31e3adf5875274ce3d8a4e721300e5adb38a1c87fefb

Download Submit
memory/1200-68-0x0000000002770000-0x00000000033BA000-memory.dmp

Filesize
12.3MB

Download
memory/1760-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download