Analysis

  • max time kernel
    110s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2022 15:24

General

  • Target

    dd3449650d2ffc0a3f66fe92693c5de66de7983b356819e9ec34567f81e396c2.exe

  • Size

    1MB

  • MD5

    650b624d0ef2f2293049adcb28c9ebae

  • SHA1

    7704d2a2cb4888e160094b5121956917bfbe0f69

  • SHA256

    dd3449650d2ffc0a3f66fe92693c5de66de7983b356819e9ec34567f81e396c2

  • SHA512

    fbcb3794ef11f10397258b56ba851fb2e18ae1aae937886147b38b94745dfebbf7b9414901ceb530fc2db4a251b46b70d4f5e45c810fe76185d993e9b185c7d2

  • SSDEEP

    24576:8RmJkcoQricOIQxiZY1iaNMKvX8rSFl2F1tbJMiU0TAW6:pJZoQrbTFZY1iaNMBR7TMFkAN

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings ⋅ 1 TTPs 34 IoCs
  • Suspicious use of FindShellTrayWindow ⋅ 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 6 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd3449650d2ffc0a3f66fe92693c5de66de7983b356819e9ec34567f81e396c2.exe
    "C:\Users\Admin\AppData\Local\Temp\dd3449650d2ffc0a3f66fe92693c5de66de7983b356819e9ec34567f81e396c2.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Users\Admin\AppData\Local\Temp\dd3449650d2ffc0a3f66fe92693c5de66de7983b356819e9ec34567f81e396c2.exe
      C:\Users\Admin\AppData\Local\Temp\dd3449650d2ffc0a3f66fe92693c5de66de7983b356819e9ec34567f81e396c2.exe
      Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=dd3449650d2ffc0a3f66fe92693c5de66de7983b356819e9ec34567f81e396c2.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:275457 /prefetch:2
          Modifies Internet Explorer settings
          Suspicious use of SetWindowsHookEx
          PID:1536

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Replay Monitor

                      00:00 00:00

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F3ZBIXXR.txt
                        MD5

                        5ddddcc837fcace18544a6dbf1fdc196

                        SHA1

                        7bb1023ac723d06b7b60d55fa5545637f43f7126

                        SHA256

                        f1ba09e1192048d800e6d5b08da8ed56af5cf7e99eba6da71f70b6ea43a66765

                        SHA512

                        f3bf5c0b47324db623f0f405aabe55ecc665f69914d4b0792bf335c88d04b2533e4f71d593f49a4dc72b6195b13de1a8a0f06afc4b53b8b4770dc05f9532d3be

                      • memory/1080-54-0x0000000076411000-0x0000000076413000-memory.dmp
                      • memory/1692-55-0x00000000000C0000-0x0000000000102000-memory.dmp
                      • memory/1692-58-0x00000000000FD99E-mapping.dmp
                      • memory/1692-57-0x00000000000C0000-0x0000000000102000-memory.dmp
                      • memory/1692-60-0x00000000000C0000-0x0000000000102000-memory.dmp
                      • memory/1692-62-0x00000000000C0000-0x0000000000102000-memory.dmp