341a087bc0f591b320d6c002e9eedd835310eaaf70c0151506c70c1120a237df

Analysis

max time kernel
39s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 13:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Originals.lnk
Size

1KB
MD5

90af1b34486a977c3d31d28bdc24026a
SHA1

c660ed19958c995519904e0643f10d5563e84042
SHA256

876b9f2a470619a165b5909bcbf50d8395ea527352f16d027df056207e70ebf2
SHA512

d97e5837df81ebd6b1ffaf2f2ac04f65073af0edee992192db43e5512dc25e8f4027d4e43f3fc4ee5eb3e5e37ff632bd1e4c363463a0c788222424738afddc4c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1776	bbc.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1748	1476	cmd.exe	28
PID 1476 wrote to memory of 1748	1476	cmd.exe	28
PID 1476 wrote to memory of 1748	1476	cmd.exe	28
PID 1748 wrote to memory of 1776	1748	cmd.exe	29
PID 1748 wrote to memory of 1776	1748	cmd.exe	29
PID 1748 wrote to memory of 1776	1748	cmd.exe	29
PID 1776 wrote to memory of 1660	1776	bbc.exe	30
PID 1776 wrote to memory of 1660	1776	bbc.exe	30
PID 1776 wrote to memory of 1660	1776	bbc.exe	30
PID 1776 wrote to memory of 1660	1776	bbc.exe	30
PID 1776 wrote to memory of 1660	1776	bbc.exe	30
PID 1776 wrote to memory of 1660	1776	bbc.exe	30
PID 1776 wrote to memory of 1660	1776	bbc.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Originals.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c carcasses\muddler.cmd re gs vr
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\bbc.exe
    C:\Users\Admin\AppData\Local\Temp\bbc.exe carcasses\relocated.des
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\regsvr32.exe
      carcasses\relocated.des
      4⤵
      PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bbc.exe

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
\Users\Admin\AppData\Local\Temp\bbc.exe

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
memory/1476-54-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/1660-97-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1660-98-0x0000000074E90000-0x0000000074F20000-memory.dmp

Filesize
576KB

Download
memory/1660-99-0x0000000074E90000-0x0000000074F20000-memory.dmp

Filesize
576KB

Download