e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 02:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe
Size

361KB
MD5

3d3cc6206109f7edd46b2c7953bb5a90
SHA1

b48618de7b94d408cc80764496580b2d7bb40c6a
SHA256

e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f
SHA512

89657f8fe5d8b05cc1100a7094879d577e921f9bb5f7a6861a22be9fb3926954440d519d8a3f5b0ea121990a0ec89f9642a250b04649bc474b070aada408f154
SSDEEP

6144:/G849+VXKgOjLMNaBiSkltLy5p+r5AuGisTcvR1lKJP1:+ViXKgOjLUaXk25pKKuGHTcvblgP1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1408	explorer.exe
288	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe
2044	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\explorer.exe"	explorer.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1408 set thread context of 288	1408	explorer.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe
1408	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 1488 wrote to memory of 2044	1488	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	26
PID 2044 wrote to memory of 1408	2044	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	27
PID 2044 wrote to memory of 1408	2044	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	27
PID 2044 wrote to memory of 1408	2044	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	27
PID 2044 wrote to memory of 1408	2044	e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe	27
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28
PID 1408 wrote to memory of 288	1408	explorer.exe	28

C:\Users\Admin\AppData\Local\Temp\e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe
"C:\Users\Admin\AppData\Local\Temp\e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe
  "C:\Users\Admin\AppData\Local\Temp\e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe

Filesize
361KB

MD5
3d3cc6206109f7edd46b2c7953bb5a90

SHA1
b48618de7b94d408cc80764496580b2d7bb40c6a

SHA256
e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f

SHA512
89657f8fe5d8b05cc1100a7094879d577e921f9bb5f7a6861a22be9fb3926954440d519d8a3f5b0ea121990a0ec89f9642a250b04649bc474b070aada408f154

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe

Filesize
361KB

MD5
3d3cc6206109f7edd46b2c7953bb5a90

SHA1
b48618de7b94d408cc80764496580b2d7bb40c6a

SHA256
e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f

SHA512
89657f8fe5d8b05cc1100a7094879d577e921f9bb5f7a6861a22be9fb3926954440d519d8a3f5b0ea121990a0ec89f9642a250b04649bc474b070aada408f154

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\explorer.exe

Filesize
361KB

MD5
3d3cc6206109f7edd46b2c7953bb5a90

SHA1
b48618de7b94d408cc80764496580b2d7bb40c6a

SHA256
e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f

SHA512
89657f8fe5d8b05cc1100a7094879d577e921f9bb5f7a6861a22be9fb3926954440d519d8a3f5b0ea121990a0ec89f9642a250b04649bc474b070aada408f154

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\explorer.exe

Filesize
361KB

MD5
3d3cc6206109f7edd46b2c7953bb5a90

SHA1
b48618de7b94d408cc80764496580b2d7bb40c6a

SHA256
e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f

SHA512
89657f8fe5d8b05cc1100a7094879d577e921f9bb5f7a6861a22be9fb3926954440d519d8a3f5b0ea121990a0ec89f9642a250b04649bc474b070aada408f154

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\explorer.exe

Filesize
361KB

MD5
3d3cc6206109f7edd46b2c7953bb5a90

SHA1
b48618de7b94d408cc80764496580b2d7bb40c6a

SHA256
e9eba17073ace89cd36687d63abb72b7878b497326c7d7ad6ea5aed71f91786f

SHA512
89657f8fe5d8b05cc1100a7094879d577e921f9bb5f7a6861a22be9fb3926954440d519d8a3f5b0ea121990a0ec89f9642a250b04649bc474b070aada408f154

Download Submit
memory/288-104-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/288-103-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/1408-102-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1488-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1488-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2044-74-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-66-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-72-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/2044-75-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2044-70-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-68-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-73-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-81-0x0000000002F10000-0x0000000002F6B000-memory.dmp

Filesize
364KB

Download
memory/2044-80-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/2044-64-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-63-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-61-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-60-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-58-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2044-57-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download