cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958

Analysis

max time kernel
135s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 09:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe
Size

451KB
MD5

8225705e91eb665f94aae09ac53825fd
SHA1

d8e7691b96eb143d5899cb384e8b91ad052f1140
SHA256

cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958
SHA512

31c1fce6a6a08656073b0d7416fc7add7252c8077804fe6367368174ae61ee1369bc9310754ebba17f7263d52317760ebeedee9cee39a747c292ccc61a9bfa59
SSDEEP

6144:yvaqS4IR/kviXzd4twM19AwCflNKBek0egb3CZF8/yoYZeiEzK4NKzLBM4cUvpS1:B/kviXzdtmJwNKBekM3GoYTEDeBf40w

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1644	hpigpwdrymrp.exe

Loads dropped DLL 2 IoCs

pid	Process
1672	cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe
1672	cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	hpigpwdrymrp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	hpigpwdrymrp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1644	hpigpwdrymrp.exe
1644	hpigpwdrymrp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1644	1672	cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe	27
PID 1672 wrote to memory of 1644	1672	cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe	27
PID 1672 wrote to memory of 1644	1672	cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe	27
PID 1672 wrote to memory of 1644	1672	cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe	27

C:\Users\Admin\AppData\Local\Temp\cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe
"C:\Users\Admin\AppData\Local\Temp\cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\hpigpwdrymrp.exe
  "C:\Users\Admin\AppData\Local\Temp\\hpigpwdrymrp.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hpigpwdrymrp.exe

Filesize
11KB

MD5
8a1240360271b11d7be8e579c8aae55a

SHA1
d5f399cea2aae630772f1090c83b3e3353ed833f

SHA256
81b9fdc86475fe81c05f0feeef0b233e1386802a57c7050f63409181b5feb827

SHA512
f1baf606ef670a94467962d95ab21fcb7257acdc5409d1430d15c2bc03bf7391f76c37a657f9cb0e7420a1cf3c34d430b022e1932701cad4504e7c2f08d0ac81

Download Submit
C:\Users\Admin\AppData\Local\Temp\parent.txt

Filesize
451KB

MD5
8225705e91eb665f94aae09ac53825fd

SHA1
d8e7691b96eb143d5899cb384e8b91ad052f1140

SHA256
cc375ffe6dbc06f15ab3d10298cd4687d9dd9073abda946278690bf85364a958

SHA512
31c1fce6a6a08656073b0d7416fc7add7252c8077804fe6367368174ae61ee1369bc9310754ebba17f7263d52317760ebeedee9cee39a747c292ccc61a9bfa59

Download Submit
\Users\Admin\AppData\Local\Temp\hpigpwdrymrp.exe

Filesize
11KB

MD5
8a1240360271b11d7be8e579c8aae55a

SHA1
d5f399cea2aae630772f1090c83b3e3353ed833f

SHA256
81b9fdc86475fe81c05f0feeef0b233e1386802a57c7050f63409181b5feb827

SHA512
f1baf606ef670a94467962d95ab21fcb7257acdc5409d1430d15c2bc03bf7391f76c37a657f9cb0e7420a1cf3c34d430b022e1932701cad4504e7c2f08d0ac81

Download Submit
\Users\Admin\AppData\Local\Temp\hpigpwdrymrp.exe

Filesize
11KB

MD5
8a1240360271b11d7be8e579c8aae55a

SHA1
d5f399cea2aae630772f1090c83b3e3353ed833f

SHA256
81b9fdc86475fe81c05f0feeef0b233e1386802a57c7050f63409181b5feb827

SHA512
f1baf606ef670a94467962d95ab21fcb7257acdc5409d1430d15c2bc03bf7391f76c37a657f9cb0e7420a1cf3c34d430b022e1932701cad4504e7c2f08d0ac81

Download Submit
memory/1644-58-0x000007FEF4260000-0x000007FEF4C83000-memory.dmp

Filesize
10.1MB

Download
memory/1644-59-0x000007FEF31C0000-0x000007FEF4256000-memory.dmp

Filesize
16.6MB

Download
memory/1644-61-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download