cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe
Size

348KB
MD5

8986b3f521166b08762007b3a8ff75c1
SHA1

fc2d006af75a9b3f109bf3b3d5e7167555722462
SHA256

cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41
SHA512

9d5c8a260d83adb2925790f2f93adcb68f1d7af6d857631b381be7cefb7cd0180668f67ea4dfb5e553b19141c5e335b132627e3f3816ab60c84d0ad0aa02ddf9
SSDEEP

6144:MN6F6aZP+d4dSUZda/YyppToyXgIBqvoAkloFBFZ3RUPpn:M4FpZYASUP3MCyXtAkloFvJR4p

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1120	chrome.scr
1756	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1444	cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe
1444	cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe
1120	chrome.scr
1436	dw20.exe
1436	dw20.exe
1436	dw20.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\chrome.scr"	cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1120 set thread context of 1756	1120	chrome.scr	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1444	cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe
1120	chrome.scr

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1120	1444	cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe	27
PID 1444 wrote to memory of 1120	1444	cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe	27
PID 1444 wrote to memory of 1120	1444	cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe	27
PID 1444 wrote to memory of 1120	1444	cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe	27
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1120 wrote to memory of 1756	1120	chrome.scr	28
PID 1756 wrote to memory of 1436	1756	svchost.exe	30
PID 1756 wrote to memory of 1436	1756	svchost.exe	30
PID 1756 wrote to memory of 1436	1756	svchost.exe	30
PID 1756 wrote to memory of 1436	1756	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe
"C:\Users\Admin\AppData\Local\Temp\cc2b79820af28546653fc644b3c41619c9495d767e90341745af47ca1f928c41.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Roaming\subfolder\chrome.scr
  "C:\Users\Admin\AppData\Roaming\subfolder\chrome.scr" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Roaming\subfolder\chrome.scr" /S
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 760
      4⤵
      Loads dropped DLL
      PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\chrome.scr

Filesize
348KB

MD5
a550e0d5ddbffcbb0210715ea1b2a8ef

SHA1
8f16fe4c3d1b35b9470af983cb35186dc267ae0c

SHA256
b57d54a5b11510ecd03aa38689356401b170ff37e3c0641c604a57446051680b

SHA512
3eba500a1bd5a81064b74c09ab6aaf398b9f5246a393295bd637891d45f3fe9bd89905f026bb1776d63b14c29b2552c8a9365ea419c9ba9302dcb86c2b669fb4

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
\Users\Admin\AppData\Roaming\subfolder\chrome.scr

Filesize
348KB

MD5
a550e0d5ddbffcbb0210715ea1b2a8ef

SHA1
8f16fe4c3d1b35b9470af983cb35186dc267ae0c

SHA256
b57d54a5b11510ecd03aa38689356401b170ff37e3c0641c604a57446051680b

SHA512
3eba500a1bd5a81064b74c09ab6aaf398b9f5246a393295bd637891d45f3fe9bd89905f026bb1776d63b14c29b2552c8a9365ea419c9ba9302dcb86c2b669fb4

Download Submit
\Users\Admin\AppData\Roaming\subfolder\chrome.scr

Filesize
348KB

MD5
a550e0d5ddbffcbb0210715ea1b2a8ef

SHA1
8f16fe4c3d1b35b9470af983cb35186dc267ae0c

SHA256
b57d54a5b11510ecd03aa38689356401b170ff37e3c0641c604a57446051680b

SHA512
3eba500a1bd5a81064b74c09ab6aaf398b9f5246a393295bd637891d45f3fe9bd89905f026bb1776d63b14c29b2552c8a9365ea419c9ba9302dcb86c2b669fb4

Download Submit
memory/1444-56-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-61-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1756-70-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1756-75-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-72-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1756-66-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1756-81-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download