Overview

overview

8

Static

static

2d3e5f9e4a...4b.exe

windows7-x64

8

2d3e5f9e4a...4b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d3e5f9e4a0aa1ffb20e664f1aac319f92b88adec78a464b8308006375b0dd4b.exe

  • Size

    186KB

  • MD5

    058717c9f07c685eb6e5f2b1423965d4

  • SHA1

    342263ec1e5584d82a1091dd5bb250515892c520

  • SHA256

    2d3e5f9e4a0aa1ffb20e664f1aac319f92b88adec78a464b8308006375b0dd4b

  • SHA512

    88a1d05269c8efd20f9658c50cca00d0bf19005d8f503acdb7b56bfe9759891e1b8be6a718537b45f25a88c42306c1c445269f7c55e5418728fff10dfef95074

  • SSDEEP

    3072:EHFGt2E/o3zNyGiw/Ow79BLQ+j7/wZMb5FUY2rhAOizHMYYSahT1lCWnIP1gj85X:Ex8Gil+sosZu5yzrz2s9TLnIqj85SJ8

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d3e5f9e4a0aa1ffb20e664f1aac319f92b88adec78a464b8308006375b0dd4b.exe
    "C:\Users\Admin\AppData\Local\Temp\2d3e5f9e4a0aa1ffb20e664f1aac319f92b88adec78a464b8308006375b0dd4b.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\program files (x86)\internet explorer\wmpscfgs.exe
      "C:\program files (x86)\internet explorer\wmpscfgs.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\program files (x86)\internet explorer\wmpscfgs.exe
        "C:\program files (x86)\internet explorer\wmpscfgs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1892
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    188KB

    MD5

    d604584b14191fe4b39f37257293a183

    SHA1

    5cf47e5ccccf53ed0f0f1244635146d3d3d63b5b

    SHA256

    dffa879b890ecb7c5f6c27fd5b7f08dcd24cdfa97a8dbd8ddb29e6a6b99000b4

    SHA512

    92bd61bbf7089a3d27a4089bde0afc92a8d55f53ea392d45d4f81e6ac1b7b90985763261dd4f26fb9c10d15bb450fe7384989d55902e6ca31f8fabe1b4613b49

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    188KB

    MD5

    d604584b14191fe4b39f37257293a183

    SHA1

    5cf47e5ccccf53ed0f0f1244635146d3d3d63b5b

    SHA256

    dffa879b890ecb7c5f6c27fd5b7f08dcd24cdfa97a8dbd8ddb29e6a6b99000b4

    SHA512

    92bd61bbf7089a3d27a4089bde0afc92a8d55f53ea392d45d4f81e6ac1b7b90985763261dd4f26fb9c10d15bb450fe7384989d55902e6ca31f8fabe1b4613b49

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    188KB

    MD5

    d604584b14191fe4b39f37257293a183

    SHA1

    5cf47e5ccccf53ed0f0f1244635146d3d3d63b5b

    SHA256

    dffa879b890ecb7c5f6c27fd5b7f08dcd24cdfa97a8dbd8ddb29e6a6b99000b4

    SHA512

    92bd61bbf7089a3d27a4089bde0afc92a8d55f53ea392d45d4f81e6ac1b7b90985763261dd4f26fb9c10d15bb450fe7384989d55902e6ca31f8fabe1b4613b49

    Download Submit

  • C:\program files (x86)\internet explorer\wmpscfgs.exe
    Filesize

    188KB

    MD5

    d604584b14191fe4b39f37257293a183

    SHA1

    5cf47e5ccccf53ed0f0f1244635146d3d3d63b5b

    SHA256

    dffa879b890ecb7c5f6c27fd5b7f08dcd24cdfa97a8dbd8ddb29e6a6b99000b4

    SHA512

    92bd61bbf7089a3d27a4089bde0afc92a8d55f53ea392d45d4f81e6ac1b7b90985763261dd4f26fb9c10d15bb450fe7384989d55902e6ca31f8fabe1b4613b49

    Download Submit

  • \??\c:\program files (x86)\adobe\acrotray .exe
    Filesize

    218KB

    MD5

    a217a41b5d8c8f56fbb2d836ad492b3b

    SHA1

    6d8afb03e0404939c4c8f213c9f84be6d14eabf8

    SHA256

    86f03e9e1920780ff0275fabc51e4d981b6dc5c410254c3845e9fc171f969d04

    SHA512

    a18a3ccdccaa141391d5b47c2448d7918edb83d64632e51bbe973a8e407773d29e1da4e827300e016cbd848ac75fe52b9544bb051019a9b4296ef13fd3493bab

    Download Submit

  • \??\c:\program files (x86)\adobe\acrotray.exe
    Filesize

    197KB

    MD5

    5b86969387b0d1db216c6d18a29e600b

    SHA1

    6aa175939d1cfbc28ffa0403519296a5fada5365

    SHA256

    ff6d29c745b663d571a9cc4d1eb394cbec32a53e869276d024aa75ea94c368fa

    SHA512

    c0e600b753a3fe9d0ac085924620da24aadca142e0f360a841ce81fc0c1104ebcaaf682fa5525064fb7e4996a8fb3634f1466adb57605e8048be6e107f4647e2

    Download Submit

  • \??\c:\program files (x86)\microsoft office\office14\bcssync.exe
    Filesize

    218KB

    MD5

    0d1e097e508ad1760ce6fbd17e01daf5

    SHA1

    1ae102982a1947f67d479ad21190775325f74387

    SHA256

    e6258c8488c828d9992983d457be9667a55fc03ff21feaeac0daf0c41f256e14

    SHA512

    0e469bc30968e2d52e2583824d37b66af470c3c7ff2a23a35a08ea2db474644cb4668e7d239cd72d51daa418c2a7808413041ad9af72711dcecb04cc3af92881

    Download Submit

  • \Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    188KB

    MD5

    d604584b14191fe4b39f37257293a183

    SHA1

    5cf47e5ccccf53ed0f0f1244635146d3d3d63b5b

    SHA256

    dffa879b890ecb7c5f6c27fd5b7f08dcd24cdfa97a8dbd8ddb29e6a6b99000b4

    SHA512

    92bd61bbf7089a3d27a4089bde0afc92a8d55f53ea392d45d4f81e6ac1b7b90985763261dd4f26fb9c10d15bb450fe7384989d55902e6ca31f8fabe1b4613b49

    Download Submit

  • \Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    188KB

    MD5

    d604584b14191fe4b39f37257293a183

    SHA1

    5cf47e5ccccf53ed0f0f1244635146d3d3d63b5b

    SHA256

    dffa879b890ecb7c5f6c27fd5b7f08dcd24cdfa97a8dbd8ddb29e6a6b99000b4

    SHA512

    92bd61bbf7089a3d27a4089bde0afc92a8d55f53ea392d45d4f81e6ac1b7b90985763261dd4f26fb9c10d15bb450fe7384989d55902e6ca31f8fabe1b4613b49

    Download Submit

  • \Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Filesize

    188KB

    MD5

    d604584b14191fe4b39f37257293a183

    SHA1

    5cf47e5ccccf53ed0f0f1244635146d3d3d63b5b

    SHA256

    dffa879b890ecb7c5f6c27fd5b7f08dcd24cdfa97a8dbd8ddb29e6a6b99000b4

    SHA512

    92bd61bbf7089a3d27a4089bde0afc92a8d55f53ea392d45d4f81e6ac1b7b90985763261dd4f26fb9c10d15bb450fe7384989d55902e6ca31f8fabe1b4613b49

    Download Submit

  • memory/892-54-0x0000000075141000-0x0000000075143000-memory.dmp

    Filesize

    8KB

    Download

  • memory/892-55-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1288-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1764-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1764-67-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1892-74-0x0000000000000000-mapping.dmp

    Download