Overview

overview

7

Static

static

780572579a...33.exe

windows7-x64

7

780572579a...33.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    780572579a5fc52071dea2e10cb64041de0d1e354eba5576acc56ff1d4ad4733.exe

  • Size

    407KB

  • MD5

    b4da5373b0d2e96a3c1097145f12afcc

  • SHA1

    141550c9ecb8938ce7d279f87790d60c0de26d3c

  • SHA256

    780572579a5fc52071dea2e10cb64041de0d1e354eba5576acc56ff1d4ad4733

  • SHA512

    ff423344dd6ebc32c7ac7b26d9ec3beb6f52694ad976a20d4c99795c43cce12a0f4580ecfcaa577bf9e04a884f7349bf919cb3728863e06edb2990103eed6655

  • SSDEEP

    6144:R+uxdYeeKzUWVd6I2WOkjq7Tj8gpoaJzP6OGfhXK0e7aB8XD5XAFKPcVSwQQPLlm:ZxdYeegUUkIhHAQU7aBuOScYwQKpm

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\780572579a5fc52071dea2e10cb64041de0d1e354eba5576acc56ff1d4ad4733.exe
    "C:\Users\Admin\AppData\Local\Temp\780572579a5fc52071dea2e10cb64041de0d1e354eba5576acc56ff1d4ad4733.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files\Common Files\lkTemps.bat""
      2⤵
      • Deletes itself
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /ve /d "C:\Windows\Henry.vbs" /f
        3⤵
        • Adds Run key to start application
        PID:2004
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\Henry.vbs"
        3⤵
          PID:1972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Common Files\lkTemps.bat
      Filesize

      1KB

      MD5

      a8dbc6d23a83d8583dee52a3dd8f64b6

      SHA1

      df753cc5bcc29c6beb302645fee05c27d111bdad

      SHA256

      08ff302149546db2f58ded22a402054dfa73cfcd25046b621184c1a65c55b909

      SHA512

      acacbfc9513f3999c721ec8ced0e0ef6b75232825bc835833fcdff7829ae947a394ecd32068d513c8072fec37de4acd636ad7c776cfed7334304f770d87f411a

      Download Submit

    • C:\Windows\Henry.vbs
      Filesize

      347B

      MD5

      5b0f430b7376065491e3ac897ead1a3a

      SHA1

      8a9bbbc74f79676874809f119c4b55484055ffa0

      SHA256

      940975734c2470b1477fdab5333beeded94b07eb2d9268fb6c2dcecacdb46e46

      SHA512

      e42a25d043f20430698b0031b27a99a3a8951912562e169123780c26dce1c95a1f6ddb5e44739c0824946839b4e5ca6752892214088e017c9319ce360e21bdc8

      Download Submit

    • \??\c:\CSK.DLL
      Filesize

      2KB

      MD5

      5392b0263cc4d21fc653b979ff59b085

      SHA1

      f51c1af2c97f3fbcd8825d1f6cb6cb5a9b65d0ca

      SHA256

      313373bd688ab17e99faf200dc71a023c41d656439b60b718d7fad9afe695df9

      SHA512

      dc45e0063b6b14bc713dea0b9b52ac04c26a5ce346e10efe050d67151a61d7e1e355fadc5bdd4ff2c691d6927ac83f2467a7e99dd01aa676662640941b2825e7

      Download Submit

    • memory/780-58-0x0000000076121000-0x0000000076123000-memory.dmp

      Filesize

      8KB

      Download