dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 19:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe
Size

458KB
MD5

9633e7b2c2a61723bea584fce75d82b0
SHA1

bbd86304cde43b505204d20cfb86bcf288dce44e
SHA256

dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645
SHA512

cd1d2945b31e27dad0c242c380413fac898a187e267ec83259b53ca480c00e7ee1d74935de6114f82061b1c209dca1a975f28ec40f24454b4ae0590623c98fa2
SSDEEP

12288:fbWpulQyhqDM2RtRXo6TtKE3FySt0AQXquLYXrWn:DWpxyhqDMKjXFTtROKbWn

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1220	readme.exe
1420	my_70026.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1956-60-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Loads dropped DLL 10 IoCs

pid	Process
1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe
1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe
1220	readme.exe
1220	readme.exe
1220	readme.exe
1220	readme.exe
1220	readme.exe
1420	my_70026.exe
1420	my_70026.exe
1420	my_70026.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1220	1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	27
PID 1956 wrote to memory of 1220	1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	27
PID 1956 wrote to memory of 1220	1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	27
PID 1956 wrote to memory of 1220	1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	27
PID 1956 wrote to memory of 1220	1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	27
PID 1956 wrote to memory of 1220	1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	27
PID 1956 wrote to memory of 1220	1956	dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe	27
PID 1220 wrote to memory of 1420	1220	readme.exe	28
PID 1220 wrote to memory of 1420	1220	readme.exe	28
PID 1220 wrote to memory of 1420	1220	readme.exe	28
PID 1220 wrote to memory of 1420	1220	readme.exe	28
PID 1220 wrote to memory of 1420	1220	readme.exe	28
PID 1220 wrote to memory of 1420	1220	readme.exe	28
PID 1220 wrote to memory of 1420	1220	readme.exe	28

C:\Users\Admin\AppData\Local\Temp\dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe
"C:\Users\Admin\AppData\Local\Temp\dffd6cabaf576b76f5b752603ed8213d01625d575df2286f2d2b59d19a541645.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\cdd\readme.exe
  "C:\Users\Admin\AppData\Local\Temp\cdd\readme.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\my_70026.exe
    "C:\Users\Admin\AppData\Local\Temp\my_70026.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
\Users\Admin\AppData\Local\Temp\cdd\readme.exe

Filesize
43KB

MD5
48f64c103629ea2f7c18ddcdc01340f5

SHA1
7292ef548010eebf9dc2719e82afe8b602d68d12

SHA256
d9808a1451103bdd099f8b67a00acf4a21c4e8fbf8ad2673cb60968f88ff9cf8

SHA512
0012c5b19f7458d0475129c241041056a7f845a751596aaf3970af76cf546944ac6a34c6adc4812096038a1ac0b349fab56cf2b53b4172cd10af9388e5ddfd4a

Download Submit
\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
\Users\Admin\AppData\Local\Temp\my_70026.exe

Filesize
24KB

MD5
19bdb11bcaf97c39036c75a76f29fdfe

SHA1
fc41b672693c4d4685260028bcd8925c1262b33c

SHA256
b4351c2554849b7837a0991c4ab124dc2d8203667166af28597c152232251e78

SHA512
f113f70d0b6b320c9911d4bfb17253958a78b8ae60f3b8fb0295da17e2fc407736e38f742f489c4db717ffe090d65e88887661514211617a2bd0ca78a81557a7

Download Submit
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1956-61-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1956-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download