Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
05/11/2022, 22:16
General
-
Target
3400a0b4768bde7214b06189709c9066a103c87311223ba1a6a51b9531c1b14c.exe
-
Size
286KB
-
MD5
a701ce34262b476efd9f5f0777001923
-
SHA1
2b9a4ae777488f25d489e473c2339a88727040ad
-
SHA256
3400a0b4768bde7214b06189709c9066a103c87311223ba1a6a51b9531c1b14c
-
SHA512
c3d158f8e5ef7e65a2434d132b09cca769ef89640a462b3ef4121e5811cc55bdfc880cd2c22ef306c8552d3918bb959fb56b2eecffefdf06062989585aea2594
-
SSDEEP
3072:fB0qmcaAgdt5N4uwDTpbieZhHRAtX16Xb0OHaNdvgE:Gqadt4uSTpbiefHaUXb1Habv
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 51 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3400a0b4768bde7214b06189709c9066a103c87311223ba1a6a51b9531c1b14c.exe"C:\Users\Admin\AppData\Local\Temp\3400a0b4768bde7214b06189709c9066a103c87311223ba1a6a51b9531c1b14c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F235.exeC:\Users\Admin\AppData\Local\Temp\F235.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 10162⤵
- Program crash
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ce76e770ad205e87cfa6422efb9c8281
SHA1ea9cc31da577a6fbed83cb3565c45ef81539645a
SHA256b8341ee82f395cc49c4fc09c2e2d1a1d0ae55848e30351721c7f70b09c0206b1
SHA512551f841cea100372ceed051f08a01f62daca461327a14b692dc397ada8883f2d28b0b654923afd9c64b6471c8826c9c41b7a9e9f3b11e8268f3faebc21d6b6ee
-
Filesize
1.3MB
MD5ce76e770ad205e87cfa6422efb9c8281
SHA1ea9cc31da577a6fbed83cb3565c45ef81539645a
SHA256b8341ee82f395cc49c4fc09c2e2d1a1d0ae55848e30351721c7f70b09c0206b1
SHA512551f841cea100372ceed051f08a01f62daca461327a14b692dc397ada8883f2d28b0b654923afd9c64b6471c8826c9c41b7a9e9f3b11e8268f3faebc21d6b6ee
-
Filesize
3.5MB
MD5a7d875022bb5e3a34d034b947003d1b3
SHA15905ca93fea101ce80e5bf8925eb2a7eec1e333d
SHA256bcdf4c540c4289f81c98448d0a4482a96522fb767ab6015e76288afce148226a
SHA512f2b78a100cf0fa84909629b892e548d7ef9797621623a96aa75f15241d7350eecca117c3793056c30dc317ade8ecc0023c2b875516d9c25ac9bb0d880bb3149a
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
696KB
-
Filesize
4.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
10.2MB
-
Filesize
11.4MB
-
Filesize
10.2MB
-
Filesize
11.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.3MB
-
Filesize
1.2MB
-
Filesize
5.3MB
-
Filesize
2.8MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.2MB
-
Filesize
5.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
11.4MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
11.4MB