d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f

Analysis

max time kernel
93s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/10/2022, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
Size

3.6MB
MD5

cf6e6ba018de6cc47d7dd446da29c6d0
SHA1

469c5d1146affa003a96a01b287b164a0423d880
SHA256

d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f
SHA512

1a38b3162b94edae86dde1468010248bee0bb160fb2b22f14194922a8970e44c1d9f70b45afd9a3ab83dff295802e2c349e95e92cd7564e1b841b4dabe078e76
SSDEEP

98304:MtBf470R4LNuu+izhCDU90ql08MSlBzxLLcD2v5Js2mEZU07IS:Mth470RCFlmS05SbzxLLcD2v5JCEZV7b

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
1128	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe3138.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe3138.tmp	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp3029.tmp\temp.000	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp30B8.tmp\temp.000	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1128	2016	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	26
PID 2016 wrote to memory of 1128	2016	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	26
PID 2016 wrote to memory of 1128	2016	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	26
PID 2016 wrote to memory of 1128	2016	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	26
PID 2016 wrote to memory of 1128	2016	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	26
PID 2016 wrote to memory of 1128	2016	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	26
PID 2016 wrote to memory of 1128	2016	d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe	26

C:\Users\Admin\AppData\Local\Temp\d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
"C:\Users\Admin\AppData\Local\Temp\d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\d7cbb52c544c59b5370d76ae0eed15f06f3e5ae796b27f17f8965352f996942f.exe
  -deleter
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_isdelet.ini

Filesize
155B

MD5
a0dc13942d15b6bfc479081980e1c7cd

SHA1
63ce2bf5b651fceeb53650804064f17a246cd6eb

SHA256
0ad999bb343cd63108d370fa1a816179e015ea309cac0dc2775595db05b26bf5

SHA512
6f1ae0b5e499d6481b81b9ec1ecf0ed06e49765ed8c33819b3e57ec46869e609ebc1f8ad53947469fa718a10d3d180cdeb0b9d180329ff53e675010adfd4cce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp30A8.tmp\_setup.dll

Filesize
152KB

MD5
157884f3b1a35d2dbb09ee8f83a09ce6

SHA1
d3b796b4d3b59b41f1c802497c384b6b8053e101

SHA256
8bfe91c43b96c42c6a7d264cb931085279e126a40a1e65920c8d485df8a32691

SHA512
7a0070b648e5c6441443a661fc78897662786dcd6f2c1fbb358d23fa17ce21ef85cf503224fd023e66ea963be87a1b80de2f986fe6cfe64af01ad0df1380c0b8

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe3138.tmp

Filesize
676KB

MD5
f7217ffc0aac4e60dc9f1c0d687c20b3

SHA1
c04fa2ab93aaf44a824364cfd4b2c03a9bdb1f38

SHA256
8b44a220ec6760a728d2fc7c1a31c39550c5c991d8decd1cd56e7d9c18f12135

SHA512
ab954477f04319b5c14a5d4dd09f964dc2dddf1dcf1222fd7e32b39d02f40004f53296ef05484b1bce995035f4626acdcb8632eebed40b11c2b5e679e21842d1

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe3138.tmp

Filesize
676KB

MD5
f7217ffc0aac4e60dc9f1c0d687c20b3

SHA1
c04fa2ab93aaf44a824364cfd4b2c03a9bdb1f38

SHA256
8b44a220ec6760a728d2fc7c1a31c39550c5c991d8decd1cd56e7d9c18f12135

SHA512
ab954477f04319b5c14a5d4dd09f964dc2dddf1dcf1222fd7e32b39d02f40004f53296ef05484b1bce995035f4626acdcb8632eebed40b11c2b5e679e21842d1

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp3029.tmp\Setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp3029.tmp\Setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp30B8.tmp\IGdi.dll

Filesize
160KB

MD5
150f19ffcf1c56e3c5f77eb712d0310b

SHA1
ee29d37fe83ac48c00b5a15ef8073a653ac3354d

SHA256
63e799505ac9f425a9ae000adf438812d50cb7b92de50d4e45e042af704af49c

SHA512
e2bef9203abbd6934a16bd43c3f8975a69eca3c9ddea66d76dfd97fafceadb8779ea3c2b1f75787e7f909357ef636f5964a903148190886cee35a81668780e49

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp30B8.tmp\IGdi.dll

Filesize
160KB

MD5
150f19ffcf1c56e3c5f77eb712d0310b

SHA1
ee29d37fe83ac48c00b5a15ef8073a653ac3354d

SHA256
63e799505ac9f425a9ae000adf438812d50cb7b92de50d4e45e042af704af49c

SHA512
e2bef9203abbd6934a16bd43c3f8975a69eca3c9ddea66d76dfd97fafceadb8779ea3c2b1f75787e7f909357ef636f5964a903148190886cee35a81668780e49

Download Submit
\Users\Admin\AppData\Local\Temp\isp2F9A.tmp\Setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
\Users\Admin\AppData\Local\Temp\isp2F9A.tmp\Setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
\Users\Admin\AppData\Local\Temp\isp30A8.tmp\_Setup.dll

Filesize
152KB

MD5
157884f3b1a35d2dbb09ee8f83a09ce6

SHA1
d3b796b4d3b59b41f1c802497c384b6b8053e101

SHA256
8bfe91c43b96c42c6a7d264cb931085279e126a40a1e65920c8d485df8a32691

SHA512
7a0070b648e5c6441443a661fc78897662786dcd6f2c1fbb358d23fa17ce21ef85cf503224fd023e66ea963be87a1b80de2f986fe6cfe64af01ad0df1380c0b8

Download Submit
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download