eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe
Size

1.2MB
MD5

32d7837dd2064798da1021fb54704059
SHA1

6fb700bb91b0acebe8fff555b25a39372b3d0e20
SHA256

eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44
SHA512

a70704402c7f83906e0f84ce64a513204827db3e95bdadcbf4c4a51d51dff77c9b41be095c7a83fbd081b01a43ecd037d5b37ac55b64eed01ca5bfef99ee2557
SSDEEP

24576:MhMBtHz9B8v1EaQb/P9zX+eHk96z/FUym:MqjHz9BwQbn5+eE9AFUy

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	2278359815.exe

Deletes itself 1 IoCs

pid	Process
1472	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1472	cmd.exe
1472	cmd.exe
1680	2278359815.exe
1680	2278359815.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44 = "\"C:\\Users\\Admin\\AppData\\Local\\2278359815.exe\" 0 40 "	eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	2278359815.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2278359815 = "\"C:\\Users\\Admin\\AppData\\Local\\2278359815.exe\" 0 23 "	2278359815.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
956	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	2278359815.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe
1680	2278359815.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1472	1644	eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe	28
PID 1644 wrote to memory of 1472	1644	eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe	28
PID 1644 wrote to memory of 1472	1644	eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe	28
PID 1644 wrote to memory of 1472	1644	eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe	28
PID 1472 wrote to memory of 956	1472	cmd.exe	30
PID 1472 wrote to memory of 956	1472	cmd.exe	30
PID 1472 wrote to memory of 956	1472	cmd.exe	30
PID 1472 wrote to memory of 956	1472	cmd.exe	30
PID 1472 wrote to memory of 1680	1472	cmd.exe	31
PID 1472 wrote to memory of 1680	1472	cmd.exe	31
PID 1472 wrote to memory of 1680	1472	cmd.exe	31
PID 1472 wrote to memory of 1680	1472	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe
"C:\Users\Admin\AppData\Local\Temp\eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3088693664.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44 /f
    3⤵
    - Modifies registry key
    PID:956
- - C:\Users\Admin\AppData\Local\2278359815.exe
    C:\Users\Admin\AppData\Local\227835~1.EXE -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2278359815.exe

Filesize
1.2MB

MD5
32d7837dd2064798da1021fb54704059

SHA1
6fb700bb91b0acebe8fff555b25a39372b3d0e20

SHA256
eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44

SHA512
a70704402c7f83906e0f84ce64a513204827db3e95bdadcbf4c4a51d51dff77c9b41be095c7a83fbd081b01a43ecd037d5b37ac55b64eed01ca5bfef99ee2557

Download Submit
C:\Users\Admin\AppData\Local\2278359815.exe

Filesize
1.2MB

MD5
32d7837dd2064798da1021fb54704059

SHA1
6fb700bb91b0acebe8fff555b25a39372b3d0e20

SHA256
eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44

SHA512
a70704402c7f83906e0f84ce64a513204827db3e95bdadcbf4c4a51d51dff77c9b41be095c7a83fbd081b01a43ecd037d5b37ac55b64eed01ca5bfef99ee2557

Download Submit
C:\Users\Admin\AppData\Local\Temp\3088693664.bat

Filesize
458B

MD5
e76655bbe28a6f7d5cf441aa52199401

SHA1
f486f3c78fedfacc6499439bd631b04cd431ae88

SHA256
6137fa72c75f6d95eb3635d63db46b70e52fa22aedf1fb077c82df2f6015414f

SHA512
95cc347377f4071b01761fc81b6213d60e53ae6b9fb05d173700f399917ee7bda54a5ee8965d048703cc879a9ef525501c02cb1a0d641a571140babba174a53e

Download Submit
\Users\Admin\AppData\Local\2278359815.exe

Filesize
1.2MB

MD5
32d7837dd2064798da1021fb54704059

SHA1
6fb700bb91b0acebe8fff555b25a39372b3d0e20

SHA256
eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44

SHA512
a70704402c7f83906e0f84ce64a513204827db3e95bdadcbf4c4a51d51dff77c9b41be095c7a83fbd081b01a43ecd037d5b37ac55b64eed01ca5bfef99ee2557

Download Submit
\Users\Admin\AppData\Local\2278359815.exe

Filesize
1.2MB

MD5
32d7837dd2064798da1021fb54704059

SHA1
6fb700bb91b0acebe8fff555b25a39372b3d0e20

SHA256
eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44

SHA512
a70704402c7f83906e0f84ce64a513204827db3e95bdadcbf4c4a51d51dff77c9b41be095c7a83fbd081b01a43ecd037d5b37ac55b64eed01ca5bfef99ee2557

Download Submit
\Users\Admin\AppData\Local\2278359815.exe

Filesize
1.2MB

MD5
32d7837dd2064798da1021fb54704059

SHA1
6fb700bb91b0acebe8fff555b25a39372b3d0e20

SHA256
eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44

SHA512
a70704402c7f83906e0f84ce64a513204827db3e95bdadcbf4c4a51d51dff77c9b41be095c7a83fbd081b01a43ecd037d5b37ac55b64eed01ca5bfef99ee2557

Download Submit
\Users\Admin\AppData\Local\2278359815.exe

Filesize
1.2MB

MD5
32d7837dd2064798da1021fb54704059

SHA1
6fb700bb91b0acebe8fff555b25a39372b3d0e20

SHA256
eff829cee83fcef595100cf11fedfc3c1158da4d38fbf1bf5a4f4091875a2e44

SHA512
a70704402c7f83906e0f84ce64a513204827db3e95bdadcbf4c4a51d51dff77c9b41be095c7a83fbd081b01a43ecd037d5b37ac55b64eed01ca5bfef99ee2557

Download Submit
memory/1644-59-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1644-57-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1644-56-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1644-55-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1680-69-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1680-71-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1680-68-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1680-73-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download