98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
Size

20KB
MD5

29bdeda415f10921646464768c72c009
SHA1

47a15db8eba3f8dec439f8ec430e869ca4731e04
SHA256

98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79
SHA512

418d666dc5f4dd571d713c5494f627620ad1e4ada20b68915872d3e3a5cfbba7e5fbfc74976151c4334c4d27208a9a51440aaf16f635471d3df70cf3c4b8ea6b
SSDEEP

384:DBNHCOqmHMyD6XTHfz0lv30PNApPAyuOgsnR+HLE4GebEmimTHDun:DDiOqZy2XT/QJ0PNer4GegmDfun

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
980	BAA.exe
684	AAB.exe
680	BAB.exe
540	AAA.exe

Loads dropped DLL 8 IoCs

pid	Process
2016	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
2016	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
980	BAA.exe
980	BAA.exe
684	AAB.exe
684	AAB.exe
680	BAB.exe
680	BAB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2016	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
980	BAA.exe
684	AAB.exe
680	BAB.exe
540	AAA.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 980	2016	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe	26
PID 2016 wrote to memory of 980	2016	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe	26
PID 2016 wrote to memory of 980	2016	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe	26
PID 2016 wrote to memory of 980	2016	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe	26
PID 980 wrote to memory of 684	980	BAA.exe	27
PID 980 wrote to memory of 684	980	BAA.exe	27
PID 980 wrote to memory of 684	980	BAA.exe	27
PID 980 wrote to memory of 684	980	BAA.exe	27
PID 684 wrote to memory of 680	684	AAB.exe	28
PID 684 wrote to memory of 680	684	AAB.exe	28
PID 684 wrote to memory of 680	684	AAB.exe	28
PID 684 wrote to memory of 680	684	AAB.exe	28
PID 680 wrote to memory of 540	680	BAB.exe	29
PID 680 wrote to memory of 540	680	BAB.exe	29
PID 680 wrote to memory of 540	680	BAB.exe	29
PID 680 wrote to memory of 540	680	BAB.exe	29

C:\Users\Admin\AppData\Local\Temp\98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
"C:\Users\Admin\AppData\Local\Temp\98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\BAA.exe
  "C:\Users\Admin\AppData\Local\Temp\BAA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\AAB.exe
    "C:\Users\Admin\AppData\Local\Temp\AAB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\BAB.exe
      "C:\Users\Admin\AppData\Local\Temp\BAB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Users\Admin\AppData\Local\Temp\AAA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AAA.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AAA.exe

Filesize
20KB

MD5
d4e93a26fcb714d832df25141adf0a8f

SHA1
629a842a9f701ec1778583739d7c059a625c8047

SHA256
0a625c3cba7b8403e4ca00559191dc327c9d286a5b54d9bba2a62fbf568220cf

SHA512
8ecc67ba5d6df8313d7ef22df4705255165f672851f7d69133cd97c341790e29b90b61b11e859568a769abba59683bccc5ebc5b80035b5f9b7832f05a214e56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAA.exe

Filesize
20KB

MD5
d4e93a26fcb714d832df25141adf0a8f

SHA1
629a842a9f701ec1778583739d7c059a625c8047

SHA256
0a625c3cba7b8403e4ca00559191dc327c9d286a5b54d9bba2a62fbf568220cf

SHA512
8ecc67ba5d6df8313d7ef22df4705255165f672851f7d69133cd97c341790e29b90b61b11e859568a769abba59683bccc5ebc5b80035b5f9b7832f05a214e56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAB.exe

Filesize
20KB

MD5
9dcb9a446b89714157b7a4c0555aef71

SHA1
093b1a4c8b1bcca1c3bacf697fd1a699fecc6fe9

SHA256
3f2775dcc24a85a8b1d1450b1f2d62976a250b8a921e84b6fc2a1722df5d13e6

SHA512
5522f69464ec0ff8e0f5a1fc6ae3c97ec5ce6aa2b96157c9f3d39b776538a2acec61873b23caf3429f56f11dd92bfe03893d2cd869c4ec358ea21b522c13e29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAB.exe

Filesize
20KB

MD5
9dcb9a446b89714157b7a4c0555aef71

SHA1
093b1a4c8b1bcca1c3bacf697fd1a699fecc6fe9

SHA256
3f2775dcc24a85a8b1d1450b1f2d62976a250b8a921e84b6fc2a1722df5d13e6

SHA512
5522f69464ec0ff8e0f5a1fc6ae3c97ec5ce6aa2b96157c9f3d39b776538a2acec61873b23caf3429f56f11dd92bfe03893d2cd869c4ec358ea21b522c13e29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAA.exe

Filesize
20KB

MD5
1147ba533cb38e7b9a0b0117df1926d7

SHA1
aeb5957af81452b0f10eb679c8f3f06ecb297ac9

SHA256
87435b93e8ae8b4713a3596027797e6ab7bc7541be7ab38c0639ef6a5ab22a8f

SHA512
f2f555cb809b12dc9a195356228bbe2a2a306d1f8bc82e6c68e051f1588be15e2826e23c4b07da2730e27c38cd2c5d23ab4f1807a0ba020486557aaa1e19ba1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAA.exe

Filesize
20KB

MD5
1147ba533cb38e7b9a0b0117df1926d7

SHA1
aeb5957af81452b0f10eb679c8f3f06ecb297ac9

SHA256
87435b93e8ae8b4713a3596027797e6ab7bc7541be7ab38c0639ef6a5ab22a8f

SHA512
f2f555cb809b12dc9a195356228bbe2a2a306d1f8bc82e6c68e051f1588be15e2826e23c4b07da2730e27c38cd2c5d23ab4f1807a0ba020486557aaa1e19ba1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAB.exe

Filesize
20KB

MD5
ca4c9143e1fbfcba0319f2a95d8def71

SHA1
4ee82aff1cc19d7db08b26c611392998b4fe7c8d

SHA256
efacd53902bf48368b2a29b2b9c2a1bfb815fd7fe2a188fc27f2b6083fc71ae8

SHA512
c84d707f56ed2f34fd82245dc8353d1ade324ec28f36ec32deb31043fffca183ead56d57f140b2eb4b56a283fd7920ca4243f6cb5283f30278e5fccc63962183

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAB.exe

Filesize
20KB

MD5
ca4c9143e1fbfcba0319f2a95d8def71

SHA1
4ee82aff1cc19d7db08b26c611392998b4fe7c8d

SHA256
efacd53902bf48368b2a29b2b9c2a1bfb815fd7fe2a188fc27f2b6083fc71ae8

SHA512
c84d707f56ed2f34fd82245dc8353d1ade324ec28f36ec32deb31043fffca183ead56d57f140b2eb4b56a283fd7920ca4243f6cb5283f30278e5fccc63962183

Download Submit
\Users\Admin\AppData\Local\Temp\AAA.exe

Filesize
20KB

MD5
d4e93a26fcb714d832df25141adf0a8f

SHA1
629a842a9f701ec1778583739d7c059a625c8047

SHA256
0a625c3cba7b8403e4ca00559191dc327c9d286a5b54d9bba2a62fbf568220cf

SHA512
8ecc67ba5d6df8313d7ef22df4705255165f672851f7d69133cd97c341790e29b90b61b11e859568a769abba59683bccc5ebc5b80035b5f9b7832f05a214e56d

Download Submit
\Users\Admin\AppData\Local\Temp\AAA.exe

Filesize
20KB

MD5
d4e93a26fcb714d832df25141adf0a8f

SHA1
629a842a9f701ec1778583739d7c059a625c8047

SHA256
0a625c3cba7b8403e4ca00559191dc327c9d286a5b54d9bba2a62fbf568220cf

SHA512
8ecc67ba5d6df8313d7ef22df4705255165f672851f7d69133cd97c341790e29b90b61b11e859568a769abba59683bccc5ebc5b80035b5f9b7832f05a214e56d

Download Submit
\Users\Admin\AppData\Local\Temp\AAB.exe

Filesize
20KB

MD5
9dcb9a446b89714157b7a4c0555aef71

SHA1
093b1a4c8b1bcca1c3bacf697fd1a699fecc6fe9

SHA256
3f2775dcc24a85a8b1d1450b1f2d62976a250b8a921e84b6fc2a1722df5d13e6

SHA512
5522f69464ec0ff8e0f5a1fc6ae3c97ec5ce6aa2b96157c9f3d39b776538a2acec61873b23caf3429f56f11dd92bfe03893d2cd869c4ec358ea21b522c13e29c

Download Submit
\Users\Admin\AppData\Local\Temp\AAB.exe

Filesize
20KB

MD5
9dcb9a446b89714157b7a4c0555aef71

SHA1
093b1a4c8b1bcca1c3bacf697fd1a699fecc6fe9

SHA256
3f2775dcc24a85a8b1d1450b1f2d62976a250b8a921e84b6fc2a1722df5d13e6

SHA512
5522f69464ec0ff8e0f5a1fc6ae3c97ec5ce6aa2b96157c9f3d39b776538a2acec61873b23caf3429f56f11dd92bfe03893d2cd869c4ec358ea21b522c13e29c

Download Submit
\Users\Admin\AppData\Local\Temp\BAA.exe

Filesize
20KB

MD5
1147ba533cb38e7b9a0b0117df1926d7

SHA1
aeb5957af81452b0f10eb679c8f3f06ecb297ac9

SHA256
87435b93e8ae8b4713a3596027797e6ab7bc7541be7ab38c0639ef6a5ab22a8f

SHA512
f2f555cb809b12dc9a195356228bbe2a2a306d1f8bc82e6c68e051f1588be15e2826e23c4b07da2730e27c38cd2c5d23ab4f1807a0ba020486557aaa1e19ba1b

Download Submit
\Users\Admin\AppData\Local\Temp\BAA.exe

Filesize
20KB

MD5
1147ba533cb38e7b9a0b0117df1926d7

SHA1
aeb5957af81452b0f10eb679c8f3f06ecb297ac9

SHA256
87435b93e8ae8b4713a3596027797e6ab7bc7541be7ab38c0639ef6a5ab22a8f

SHA512
f2f555cb809b12dc9a195356228bbe2a2a306d1f8bc82e6c68e051f1588be15e2826e23c4b07da2730e27c38cd2c5d23ab4f1807a0ba020486557aaa1e19ba1b

Download Submit
\Users\Admin\AppData\Local\Temp\BAB.exe

Filesize
20KB

MD5
ca4c9143e1fbfcba0319f2a95d8def71

SHA1
4ee82aff1cc19d7db08b26c611392998b4fe7c8d

SHA256
efacd53902bf48368b2a29b2b9c2a1bfb815fd7fe2a188fc27f2b6083fc71ae8

SHA512
c84d707f56ed2f34fd82245dc8353d1ade324ec28f36ec32deb31043fffca183ead56d57f140b2eb4b56a283fd7920ca4243f6cb5283f30278e5fccc63962183

Download Submit
\Users\Admin\AppData\Local\Temp\BAB.exe

Filesize
20KB

MD5
ca4c9143e1fbfcba0319f2a95d8def71

SHA1
4ee82aff1cc19d7db08b26c611392998b4fe7c8d

SHA256
efacd53902bf48368b2a29b2b9c2a1bfb815fd7fe2a188fc27f2b6083fc71ae8

SHA512
c84d707f56ed2f34fd82245dc8353d1ade324ec28f36ec32deb31043fffca183ead56d57f140b2eb4b56a283fd7920ca4243f6cb5283f30278e5fccc63962183

Download Submit
memory/2016-56-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download