Analysis

  • max time kernel
    98s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 04:59 UTC

General

  • Target

    7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe

  • Size

    797KB

  • MD5

    4407cd47bc68ccab2e958f5016ccd330

  • SHA1

    cad523447c6d14fa44d3e5e6e70e602420ff4b12

  • SHA256

    7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55

  • SHA512

    06f5f6f522dcd12152d6be6d25c51c5a732af7a0df280ad56f03f300e9e9c187bb2829cff2bc3c0f84eb93a2c84802135218d0c39a1b1fa346001ba8dd844c5c

  • SSDEEP

    24576:woe3sDKnxYaXJi2Y3MpbwnCvzb4cbmYdTyVD7:w9sDkYOMwwnMb4PmyVn

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
    "C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\WINDOWS\MSWDM.EXE
      "C:\WINDOWS\MSWDM.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Drops file in Windows directory
      PID:2248
    • C:\WINDOWS\MSWDM.EXE
      -r!C:\Windows\dev79F7.tmp!C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe! !
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2496
      • C:\WINDOWS\MSWDM.EXE
        -e!C:\Windows\dev79F7.tmp!C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE!
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4712

Network

  • flag-us
    DNS
    97.97.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.97.242.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 52.109.8.45:443
    40 B
    1
  • 93.184.221.240:80
    322 B
    7
  • 93.184.220.29:80
    322 B
    7
  • 10.127.255.255:78
    MSWDM.EXE
    46 B
    1
  • 10.255.255.255:78
    MSWDM.EXE
    46 B
    1
  • 10.127.0.255:78
    MSWDM.EXE
    46 B
    1
  • 8.8.8.8:53
    97.97.242.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.97.242.52.in-addr.arpa

  • 8.8.8.8:53
    7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
    204 B
    1
    1

    DNS Request

    7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

    Filesize

    797KB

    MD5

    625b450e02f10583e7ec3e75056b17fd

    SHA1

    e518125eddb35a4e7178cc3120e49f6803c00b66

    SHA256

    0501c5d0e8cf3067f7cc2a5ecb1d4b4bd1ecc3bbe54edd670100b8813df0e3c2

    SHA512

    6c1869ebb858ff8ae4e5cee4cd4e46d2da65f479d7eeccd4866cea12b69f1d5fa95b0d62d87cbe9fd3ea241def939d982c74a67fd94ef7f7bee3802baa5917b2

  • C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

    Filesize

    797KB

    MD5

    625b450e02f10583e7ec3e75056b17fd

    SHA1

    e518125eddb35a4e7178cc3120e49f6803c00b66

    SHA256

    0501c5d0e8cf3067f7cc2a5ecb1d4b4bd1ecc3bbe54edd670100b8813df0e3c2

    SHA512

    6c1869ebb858ff8ae4e5cee4cd4e46d2da65f479d7eeccd4866cea12b69f1d5fa95b0d62d87cbe9fd3ea241def939d982c74a67fd94ef7f7bee3802baa5917b2

  • C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe

    Filesize

    717KB

    MD5

    169c293ce9460a05646d17dc6aa2fb2c

    SHA1

    f0c018d61e844447dcc5a5734e1edff4997e59d5

    SHA256

    a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

    SHA512

    7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

  • C:\WINDOWS\MSWDM.EXE

    Filesize

    80KB

    MD5

    c227284e3308661150f07c9f98f0033b

    SHA1

    ee20dab910e7a1234f6f8298dc02d8510ee6f44c

    SHA256

    98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

    SHA512

    3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

  • C:\Windows\MSWDM.EXE

    Filesize

    80KB

    MD5

    c227284e3308661150f07c9f98f0033b

    SHA1

    ee20dab910e7a1234f6f8298dc02d8510ee6f44c

    SHA256

    98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

    SHA512

    3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

  • C:\Windows\MSWDM.EXE

    Filesize

    80KB

    MD5

    c227284e3308661150f07c9f98f0033b

    SHA1

    ee20dab910e7a1234f6f8298dc02d8510ee6f44c

    SHA256

    98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

    SHA512

    3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

  • C:\Windows\MSWDM.EXE

    Filesize

    80KB

    MD5

    c227284e3308661150f07c9f98f0033b

    SHA1

    ee20dab910e7a1234f6f8298dc02d8510ee6f44c

    SHA256

    98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

    SHA512

    3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

  • C:\Windows\dev79F7.tmp

    Filesize

    717KB

    MD5

    169c293ce9460a05646d17dc6aa2fb2c

    SHA1

    f0c018d61e844447dcc5a5734e1edff4997e59d5

    SHA256

    a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

    SHA512

    7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

  • memory/820-148-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/820-142-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2100-137-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2248-141-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2248-149-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/4712-146-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.