dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 11:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe
Size

88KB
MD5

30fae14b737a46a576f55325753c112c
SHA1

5cab8be05ea72824c0cfed4d7357218df485c3a3
SHA256

dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7
SHA512

eeda380cedb626af7e3e00e8f38c11c9e68cfead9c68b5a5abba159fefd2db740466a6533b7a119a463eaf96e91fec6f9aeeae2ef059658beea51ecd0e0ab12a
SSDEEP

1536:Hn/oYXON5n7svkh10LS9tHCGLlje4QCmmHjskWID:H/oBYv00LS9tHCG5TQCmmHjse

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1784	adpplay.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe
2044	dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\adpplay.exe	dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2044	dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1784	adpplay.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1784	2044	dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe	26
PID 2044 wrote to memory of 1784	2044	dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe	26
PID 2044 wrote to memory of 1784	2044	dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe	26
PID 2044 wrote to memory of 1784	2044	dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe	26
PID 1784 wrote to memory of 1596	1784	adpplay.exe	27
PID 1784 wrote to memory of 1596	1784	adpplay.exe	27
PID 1784 wrote to memory of 1596	1784	adpplay.exe	27
PID 1784 wrote to memory of 1596	1784	adpplay.exe	27
PID 1596 wrote to memory of 1564	1596	cmd.exe	29
PID 1596 wrote to memory of 1564	1596	cmd.exe	29
PID 1596 wrote to memory of 1564	1596	cmd.exe	29
PID 1596 wrote to memory of 1564	1596	cmd.exe	29
PID 1564 wrote to memory of 1392	1564	net.exe	30
PID 1564 wrote to memory of 1392	1564	net.exe	30
PID 1564 wrote to memory of 1392	1564	net.exe	30
PID 1564 wrote to memory of 1392	1564	net.exe	30

C:\Users\Admin\AppData\Local\Temp\dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe
"C:\Users\Admin\AppData\Local\Temp\dbd7bbb4dea7859f3f23fdebcd751f9077289df8c2d0ac21c327f2eacd6d19e7.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Program Files\Internet Explorer\adpplay.exe
  "C:\Program Files\Internet Explorer\adpplay.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\adpplay.exe

Filesize
44KB

MD5
53a3c267a25d864330929bd0c28ec17c

SHA1
3c9daf02846a2a1356c087f53ab8c8a21fd652a4

SHA256
b1fc6c5c5b64304f206d8c267f1248186735725b258ce9676d2ffd27592f206c

SHA512
446cbfc35e58928d070372b2ee3a181867ba5ced54d4208213eef33e2da20eb253bf286e08159f7ffb72c1aa0f12b3ab10b54758b8a11d5849c5af64ebfb6c73

Download Submit
\Program Files\Internet Explorer\adpplay.exe

Filesize
44KB

MD5
53a3c267a25d864330929bd0c28ec17c

SHA1
3c9daf02846a2a1356c087f53ab8c8a21fd652a4

SHA256
b1fc6c5c5b64304f206d8c267f1248186735725b258ce9676d2ffd27592f206c

SHA512
446cbfc35e58928d070372b2ee3a181867ba5ced54d4208213eef33e2da20eb253bf286e08159f7ffb72c1aa0f12b3ab10b54758b8a11d5849c5af64ebfb6c73

Download Submit
\Program Files\Internet Explorer\adpplay.exe

Filesize
44KB

MD5
53a3c267a25d864330929bd0c28ec17c

SHA1
3c9daf02846a2a1356c087f53ab8c8a21fd652a4

SHA256
b1fc6c5c5b64304f206d8c267f1248186735725b258ce9676d2ffd27592f206c

SHA512
446cbfc35e58928d070372b2ee3a181867ba5ced54d4208213eef33e2da20eb253bf286e08159f7ffb72c1aa0f12b3ab10b54758b8a11d5849c5af64ebfb6c73

Download Submit
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download