7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b

Analysis

max time kernel
38s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/09/2022, 12:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Ransom.MSIL.Encoder.gen-7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b.exe
Size

8KB
MD5

d12bbc86ed74bf6bb5d2f8ccb1cb6d3d
SHA1

f13cf7d452a953d95d3af5ae054a781cb9cb817c
SHA256

7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b
SHA512

7fc87d595228f6e60df774d8c2e1a1eac25f3f0a27027784b4bf362dae10610ffeda0ca3b1931eb485f476b8372e558f7a837f255323c7c3e9a20a28984d82c0
SSDEEP

192:yd7+OMFFr5Jyi/8XRyLkSD8g8Xd2oXQbv0DiPD9OY:q73MjruiURyLkk8lN2oAj0+PZOY

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decrypt.txt	HEUR-Trojan-Ransom.MSIL.Encoder.gen-7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1776	1148	HEUR-Trojan-Ransom.MSIL.Encoder.gen-7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b.exe	27
PID 1148 wrote to memory of 1776	1148	HEUR-Trojan-Ransom.MSIL.Encoder.gen-7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b.exe	27
PID 1148 wrote to memory of 1776	1148	HEUR-Trojan-Ransom.MSIL.Encoder.gen-7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b.exe	27
PID 1148 wrote to memory of 1776	1148	HEUR-Trojan-Ransom.MSIL.Encoder.gen-7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b.exe	27

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Encoder.gen-7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Encoder.gen-7e6d9e69225ab0234873be6bc5e3b58e1273dd05fff7b6f69e77f8f158f7c15b.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" Decrypt.txt
  2⤵
  PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Decrypt.txt

Filesize
165B

MD5
2e654950dc3d018faa825b99503b9f51

SHA1
ca867091fe3f888c919a5c08805267f314a65d2c

SHA256
0ed9df5c9ac684e37f10cdbe40b78e583e317774116c79edff64e83d995ddd02

SHA512
5f31771b6c12a961d13c65a4ed3025f8bd25685589ef78a969474c15af8b8249bca10dfd0782fad9eeef65e589d983e1b172926ce3d0b95f7b211258853d4516

Download Submit
memory/1148-54-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1776-56-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download