Overview

overview

10

Static

static

add304b4d8...c1.exe

windows7-x64

10

add304b4d8...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2022, 02:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    add304b4d899b58766d0343c177527b60c03a31ba1cbdffd9d6701ec15ea15c1.exe

  • Size

    736KB

  • MD5

    34b5edde1d966df3661f783489d006f0

  • SHA1

    274af47f875010e7feacf3a9cc0aa37688bb9f0b

  • SHA256

    add304b4d899b58766d0343c177527b60c03a31ba1cbdffd9d6701ec15ea15c1

  • SHA512

    8ea054b133145a337183263946e0ab2951afbecc9c8eccea830a5fd00bee59b03ecbcd53b4c8b81903b0c6720b4d9472c372e361f366c5f89c7a936f31f7a4b9

  • SSDEEP

    6144:dC4umWphVf4j27zo1cvJTDEpULgU8L94jDV9U1woU8LSHP0x8Taj97:H9WphJx7k0DEpUE9QDV9U11Sa

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\add304b4d899b58766d0343c177527b60c03a31ba1cbdffd9d6701ec15ea15c1.exe
    "C:\Users\Admin\AppData\Local\Temp\add304b4d899b58766d0343c177527b60c03a31ba1cbdffd9d6701ec15ea15c1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\reg.exe
        reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
        3⤵
        • Adds Run key to start application
        PID:568

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1396-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

          Filesize

          8KB

          Download