Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-11-2022 19:52
General
-
Target
a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe
-
Size
5.0MB
-
MD5
3fc57fd38dd0521976ea9c0f37c187dc
-
SHA1
f5610c292278e8dd75decdf238dc630f91d204a9
-
SHA256
a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120
-
SHA512
c4b8055d6dca7a969b7096ea7cb04db872bfa3addc0aece41f5fc62c33ae6e1982dfa6e71e0f373456cf89b2f99ff2dee947bb62ba612126c0e86a49146b1300
-
SSDEEP
98304:EstZLNLdQRhpII22cNb3g2n8zMkd6tSYFxrkDB4n:5ZUhH22cNb3Z8Qkd6tSgJkD
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe"C:\Users\Admin\AppData\Local\Temp\a61a3a202f45693bf7e21310198718e952dba27e6430f8c035a58be1f9276120.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ZDAQQXTL.exeC:\Windows\system32\ZDAQQXTL.exe2⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
964KB
MD57359ea3476e9f5d7f5e6845007531b4b
SHA1ec48e75b6a03979a1af7d993c55a76bc5a7780fe
SHA25643b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc
SHA51201317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce
-
Filesize
964KB
MD57359ea3476e9f5d7f5e6845007531b4b
SHA1ec48e75b6a03979a1af7d993c55a76bc5a7780fe
SHA25643b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc
SHA51201317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce
-
Filesize
964KB
MD57359ea3476e9f5d7f5e6845007531b4b
SHA1ec48e75b6a03979a1af7d993c55a76bc5a7780fe
SHA25643b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc
SHA51201317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce
-
Filesize
964KB
MD57359ea3476e9f5d7f5e6845007531b4b
SHA1ec48e75b6a03979a1af7d993c55a76bc5a7780fe
SHA25643b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc
SHA51201317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce
-
-
Filesize
8KB