30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc

Analysis

max time kernel
38s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
Size

7KB
MD5

40b1ec9f0eb2f95da5541792ac561eb2
SHA1

01f6025fd585090f56163b1ac9edd17bcb47691f
SHA256

30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc
SHA512

839e3c25314c8690d2947490d0b3ee5654250103a2ae4ab5a378e7f7c43d642d63900bb9d423c78b4a6eb64aa2d0fe4fc270f6411d66f8ab545ad6c96f777eda
SSDEEP

96:e7p9mCOBB7QSCMkJxuJRd9EWWuOWwb4wf4tW1:e99mCOB7CMkJxu/kW/OW0f4tW

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\ReAgentc.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\Robocopy.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\SndVol.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\openfiles.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\prevhost.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\eudcedit.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\w32tm.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\syskey.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\RpcPing.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\osk.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\tzutil.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\cipher.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\colorcpl.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\Magnify.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\ndadmin.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\rdrleakdiag.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\sdiagnhost.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\winrshost.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\wininit.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\mshta.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\netiougc.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\newdev.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\dpnsvr.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\rasautou.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\WerFault.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\SysWOW64\shrpubw.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fveupdate.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\notepad.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\splwow64.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\twunk_16.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\winhlp32.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\write.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\explorer.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\HelpPane.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\hh.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\twunk_32.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
File opened for modification	C:\Windows\bfsvc.exe	30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe
"C:\Users\Admin\AppData\Local\Temp\30900aa70bf6d2810a238ffd5970d2e5c2a43b153d00b34a1b4f2ffb054885cc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1372-55-0x0000000001000000-0x0000000001004B00-memory.dmp

Filesize
18KB

Download