767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe
Size

61KB
MD5

40b4b185792e7ffc1e946bb022262180
SHA1

bf226ca21f5f5433d1c52f600c66e4e198c483b0
SHA256

767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb
SHA512

e0d5810fd9a3c2e213df788d2ffb01568a4ac636d4071baff0226222c27d294c1403ffe5ab67b70b06d6d1c68ba69b9eb45e80da8a5355834ccd79e3bc1535d7
SSDEEP

768:oylfdxBCi4imGYRd43JfnPOlBAgW7nhsqzdjqiB9V1/IeAlqYWotiPHgK:oytL48YRd43J/L7O2T/foE

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Run = "C:\\Users\\Admin\\AppData\\Roaming\\OSSMTP.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 944	1060	767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe	27
PID 1060 wrote to memory of 944	1060	767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe	27
PID 1060 wrote to memory of 944	1060	767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe	27
PID 1060 wrote to memory of 944	1060	767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe	27
PID 944 wrote to memory of 1220	944	cmd.exe	29
PID 944 wrote to memory of 1220	944	cmd.exe	29
PID 944 wrote to memory of 1220	944	cmd.exe	29
PID 944 wrote to memory of 1220	944	cmd.exe	29
PID 944 wrote to memory of 1980	944	cmd.exe	30
PID 944 wrote to memory of 1980	944	cmd.exe	30
PID 944 wrote to memory of 1980	944	cmd.exe	30
PID 944 wrote to memory of 1980	944	cmd.exe	30
PID 944 wrote to memory of 2024	944	cmd.exe	31
PID 944 wrote to memory of 2024	944	cmd.exe	31
PID 944 wrote to memory of 2024	944	cmd.exe	31
PID 944 wrote to memory of 2024	944	cmd.exe	31
PID 944 wrote to memory of 2036	944	cmd.exe	32
PID 944 wrote to memory of 2036	944	cmd.exe	32
PID 944 wrote to memory of 2036	944	cmd.exe	32
PID 944 wrote to memory of 2036	944	cmd.exe	32
PID 944 wrote to memory of 1732	944	cmd.exe	33
PID 944 wrote to memory of 1732	944	cmd.exe	33
PID 944 wrote to memory of 1732	944	cmd.exe	33
PID 944 wrote to memory of 1732	944	cmd.exe	33
PID 944 wrote to memory of 1988	944	cmd.exe	34
PID 944 wrote to memory of 1988	944	cmd.exe	34
PID 944 wrote to memory of 1988	944	cmd.exe	34
PID 944 wrote to memory of 1988	944	cmd.exe	34
PID 944 wrote to memory of 1984	944	cmd.exe	35
PID 944 wrote to memory of 1984	944	cmd.exe	35
PID 944 wrote to memory of 1984	944	cmd.exe	35
PID 944 wrote to memory of 1984	944	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe
"C:\Users\Admin\AppData\Local\Temp\767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ztmp\t32522.bat" "C:\Users\Admin\AppData\Local\Temp\767ae9fadc2131b2da09ec5ea79a7dbff9f764091dd9fc61328002e644bf8acb.exe" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v Run /t REG_SZ /f /D C:\Users\Admin\AppData\Roaming\OSSMTP.exe
    3⤵
    - Adds Run key to start application
    PID:1220
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D94AEE6-A6F4-4715-9BC8-A6A4A837EFCE}" /v "Enable"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\find.exe
    Find "1"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKCU\Control Panel\International" /v "sCountry"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\find.exe
    Find "Brasil"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKCU\Control Panel\International" /v "sCountry"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\find.exe
    Find "Brazil"
    3⤵
    PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ztmp\t32522.bat

Filesize
1KB

MD5
fd99dee22ae8e96943e32ef779beb216

SHA1
5fe7e718ca799d2317c6a0214f3749573a2aa5a4

SHA256
540b07b496f068cca283c70cded58b348d687bb9bf41b1d53c6cf0a6c01f981e

SHA512
7136b9d92b5c986e1e66109aa12ee07c442061b44b09f71900d1dc8985ac685dd084ca4b67f48deab9bd07f9cd0dd537dfb97cc733eb964ac6e5a208abc6db0f

Download Submit
memory/1060-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download