Analysis

  • max time kernel
    151s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2022, 19:51

General

  • Target

    a87fa6e062c3c2dd9e21f17ea5f281785bd346b725cf010e0746cd86fe581ee2.exe

  • Size

    84KB

  • MD5

    6101fda3b80146753f1c7c5abbd36d17

  • SHA1

    31f20990a690236ff77fd8461c611ef6db30d969

  • SHA256

    a87fa6e062c3c2dd9e21f17ea5f281785bd346b725cf010e0746cd86fe581ee2

  • SHA512

    09fa993c33694a87a1bf56998a2649f95ce0e362d8c568535d39147b24532cf11baeb701494046b3d4ffec9c835170025a017beb5a96074c7019a4e6bb86ae07

  • SSDEEP

    768:9G9RIXmuec4OdJNUC1x2avPPpykILkGuIBLP3nEZCcLX/CVSFJ0T72Uap5/7TONO:9kZOdUCJwVu1ocTzFJ0T72VpF7

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a87fa6e062c3c2dd9e21f17ea5f281785bd346b725cf010e0746cd86fe581ee2.exe
    "C:\Users\Admin\AppData\Local\Temp\a87fa6e062c3c2dd9e21f17ea5f281785bd346b725cf010e0746cd86fe581ee2.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\duiow.exe
      "C:\Users\Admin\duiow.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1936

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\duiow.exe

    Filesize

    84KB

    MD5

    88ec404c23ac121423c951ab58f855e7

    SHA1

    5142508bff2ccea714ec40b649a01872dcb58c7e

    SHA256

    85773b928b8b824c8182198b82a16188f4a720aaa1974c58d277adc93980afa3

    SHA512

    6a30b57feb830db4dd2a2fb97930cfbeec8b98eebef6f15c5862d193bc9bd688a0f887d7c9842cece329b063269b9a694df566f0e2ff947ab6c892147e487784

  • C:\Users\Admin\duiow.exe

    Filesize

    84KB

    MD5

    88ec404c23ac121423c951ab58f855e7

    SHA1

    5142508bff2ccea714ec40b649a01872dcb58c7e

    SHA256

    85773b928b8b824c8182198b82a16188f4a720aaa1974c58d277adc93980afa3

    SHA512

    6a30b57feb830db4dd2a2fb97930cfbeec8b98eebef6f15c5862d193bc9bd688a0f887d7c9842cece329b063269b9a694df566f0e2ff947ab6c892147e487784

  • \Users\Admin\duiow.exe

    Filesize

    84KB

    MD5

    88ec404c23ac121423c951ab58f855e7

    SHA1

    5142508bff2ccea714ec40b649a01872dcb58c7e

    SHA256

    85773b928b8b824c8182198b82a16188f4a720aaa1974c58d277adc93980afa3

    SHA512

    6a30b57feb830db4dd2a2fb97930cfbeec8b98eebef6f15c5862d193bc9bd688a0f887d7c9842cece329b063269b9a694df566f0e2ff947ab6c892147e487784

  • \Users\Admin\duiow.exe

    Filesize

    84KB

    MD5

    88ec404c23ac121423c951ab58f855e7

    SHA1

    5142508bff2ccea714ec40b649a01872dcb58c7e

    SHA256

    85773b928b8b824c8182198b82a16188f4a720aaa1974c58d277adc93980afa3

    SHA512

    6a30b57feb830db4dd2a2fb97930cfbeec8b98eebef6f15c5862d193bc9bd688a0f887d7c9842cece329b063269b9a694df566f0e2ff947ab6c892147e487784

  • memory/1464-56-0x00000000758B1000-0x00000000758B3000-memory.dmp

    Filesize

    8KB