5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
Size

654KB
MD5

11a1356c2813e4762f404bcc07272570
SHA1

e6b876dc1d5d963a762d2d4431293afd743672d3
SHA256

5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f
SHA512

1caecd875a6dd55cb13d2ef433e83e7a9f72c00d3299b6925535e2c02ec7074f4d82172a5f47d59e004eb81754664f6fb96fa202501637286ed850f468117a27
SSDEEP

12288:e0gXZQVGEPBeDlYIczVmjuldONAvA7KGbNuwmO:Zu4Je6SudONgA7XU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
920	7za.exe
1256	Revert.exe
2036	lanbox.exe

Loads dropped DLL 10 IoCs

pid	Process
2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
1256	Revert.exe
1256	Revert.exe
1256	Revert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2036	lanbox.exe
2036	lanbox.exe
2036	lanbox.exe
2036	lanbox.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 920	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	27
PID 2016 wrote to memory of 920	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	27
PID 2016 wrote to memory of 920	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	27
PID 2016 wrote to memory of 920	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	27
PID 2016 wrote to memory of 1256	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	29
PID 2016 wrote to memory of 1256	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	29
PID 2016 wrote to memory of 1256	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	29
PID 2016 wrote to memory of 1256	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	29
PID 2016 wrote to memory of 1256	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	29
PID 2016 wrote to memory of 1256	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	29
PID 2016 wrote to memory of 1256	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	29
PID 2016 wrote to memory of 2036	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	30
PID 2016 wrote to memory of 2036	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	30
PID 2016 wrote to memory of 2036	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	30
PID 2016 wrote to memory of 2036	2016	5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe	30

C:\Users\Admin\AppData\Local\Temp\5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe
"C:\Users\Admin\AppData\Local\Temp\5838586e5d850991ea74a0239893e4770f8c61f45ae82073c830d643c990735f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a.7z" -pxTRJ1TQdCj -o"C:\Users\Admin\AppData\Local\Temp\" -aoa
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Users\Admin\AppData\Local\Temp\Revert.exe
  C:\Users\Admin\AppData\Local\Temp\Revert.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\lanbox.exe
  C:\Users\Admin\AppData\Local\Temp\lanbox.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revert.exe

Filesize
93KB

MD5
9700ed46acc7da553643087fd6c074fc

SHA1
d0a2036a1a5deda46e71571365c6abaa0fb6339b

SHA256
3ffb3a0d8cc56ee05f9ace493dfca8604ce04d12fdbf70e571ce4bda0dad8c14

SHA512
37a7cfaa14a170cd820a7784cc45550994d06845a9e9961f5973c4087d88904394d8900bc4160ccef698dee07a60d1f4e57c2d2be13ffb3c034399e0043ab807

Download Submit
C:\Users\Admin\AppData\Local\Temp\Revert.exe

Filesize
93KB

MD5
9700ed46acc7da553643087fd6c074fc

SHA1
d0a2036a1a5deda46e71571365c6abaa0fb6339b

SHA256
3ffb3a0d8cc56ee05f9ace493dfca8604ce04d12fdbf70e571ce4bda0dad8c14

SHA512
37a7cfaa14a170cd820a7784cc45550994d06845a9e9961f5973c4087d88904394d8900bc4160ccef698dee07a60d1f4e57c2d2be13ffb3c034399e0043ab807

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.7z

Filesize
8KB

MD5
847428a51d087e17ae197a4726c6e36b

SHA1
34ec128e0d1679828322aad9895d1a41ac2816ee

SHA256
9d9ee5760096fd7cffecc687bd081381d7081a43e90968dfefc97009cdce87ef

SHA512
7de1cc47c4636683066bc80f984a73ed34721a9b23ffa7c420313ac3641961c97718f428bb6ba8826fee3955ff9658b57d2f1b3315adb0513106182e8e6da856

Download Submit
C:\Users\Admin\AppData\Local\Temp\lanbox.exe

Filesize
36KB

MD5
62bc5d585b64760f59403f632380230f

SHA1
c9cdaa39e48d41bdad087c136d22d52d63289717

SHA256
0fa9c984d020edc2442db08c3fde7e2bfc8638c68959ca7c406c28c01c88527c

SHA512
385d716e06d47b183290d94880be876add9e16e7a1ab4692129965c8e5a88d66df8bf2596ac64b4b3c3aaed03ca8fe706b242f937e87b38ea80bb96d0ae3a8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lanbox.exe

Filesize
36KB

MD5
62bc5d585b64760f59403f632380230f

SHA1
c9cdaa39e48d41bdad087c136d22d52d63289717

SHA256
0fa9c984d020edc2442db08c3fde7e2bfc8638c68959ca7c406c28c01c88527c

SHA512
385d716e06d47b183290d94880be876add9e16e7a1ab4692129965c8e5a88d66df8bf2596ac64b4b3c3aaed03ca8fe706b242f937e87b38ea80bb96d0ae3a8c1

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\Revert.exe

Filesize
93KB

MD5
9700ed46acc7da553643087fd6c074fc

SHA1
d0a2036a1a5deda46e71571365c6abaa0fb6339b

SHA256
3ffb3a0d8cc56ee05f9ace493dfca8604ce04d12fdbf70e571ce4bda0dad8c14

SHA512
37a7cfaa14a170cd820a7784cc45550994d06845a9e9961f5973c4087d88904394d8900bc4160ccef698dee07a60d1f4e57c2d2be13ffb3c034399e0043ab807

Download Submit
\Users\Admin\AppData\Local\Temp\Revert.exe

Filesize
93KB

MD5
9700ed46acc7da553643087fd6c074fc

SHA1
d0a2036a1a5deda46e71571365c6abaa0fb6339b

SHA256
3ffb3a0d8cc56ee05f9ace493dfca8604ce04d12fdbf70e571ce4bda0dad8c14

SHA512
37a7cfaa14a170cd820a7784cc45550994d06845a9e9961f5973c4087d88904394d8900bc4160ccef698dee07a60d1f4e57c2d2be13ffb3c034399e0043ab807

Download Submit
\Users\Admin\AppData\Local\Temp\Revert.exe

Filesize
93KB

MD5
9700ed46acc7da553643087fd6c074fc

SHA1
d0a2036a1a5deda46e71571365c6abaa0fb6339b

SHA256
3ffb3a0d8cc56ee05f9ace493dfca8604ce04d12fdbf70e571ce4bda0dad8c14

SHA512
37a7cfaa14a170cd820a7784cc45550994d06845a9e9961f5973c4087d88904394d8900bc4160ccef698dee07a60d1f4e57c2d2be13ffb3c034399e0043ab807

Download Submit
\Users\Admin\AppData\Local\Temp\Revert.exe

Filesize
93KB

MD5
9700ed46acc7da553643087fd6c074fc

SHA1
d0a2036a1a5deda46e71571365c6abaa0fb6339b

SHA256
3ffb3a0d8cc56ee05f9ace493dfca8604ce04d12fdbf70e571ce4bda0dad8c14

SHA512
37a7cfaa14a170cd820a7784cc45550994d06845a9e9961f5973c4087d88904394d8900bc4160ccef698dee07a60d1f4e57c2d2be13ffb3c034399e0043ab807

Download Submit
\Users\Admin\AppData\Local\Temp\Revert.exe

Filesize
93KB

MD5
9700ed46acc7da553643087fd6c074fc

SHA1
d0a2036a1a5deda46e71571365c6abaa0fb6339b

SHA256
3ffb3a0d8cc56ee05f9ace493dfca8604ce04d12fdbf70e571ce4bda0dad8c14

SHA512
37a7cfaa14a170cd820a7784cc45550994d06845a9e9961f5973c4087d88904394d8900bc4160ccef698dee07a60d1f4e57c2d2be13ffb3c034399e0043ab807

Download Submit
\Users\Admin\AppData\Local\Temp\lanbox.exe

Filesize
36KB

MD5
62bc5d585b64760f59403f632380230f

SHA1
c9cdaa39e48d41bdad087c136d22d52d63289717

SHA256
0fa9c984d020edc2442db08c3fde7e2bfc8638c68959ca7c406c28c01c88527c

SHA512
385d716e06d47b183290d94880be876add9e16e7a1ab4692129965c8e5a88d66df8bf2596ac64b4b3c3aaed03ca8fe706b242f937e87b38ea80bb96d0ae3a8c1

Download Submit
\Users\Admin\AppData\Local\Temp\lanbox.exe

Filesize
36KB

MD5
62bc5d585b64760f59403f632380230f

SHA1
c9cdaa39e48d41bdad087c136d22d52d63289717

SHA256
0fa9c984d020edc2442db08c3fde7e2bfc8638c68959ca7c406c28c01c88527c

SHA512
385d716e06d47b183290d94880be876add9e16e7a1ab4692129965c8e5a88d66df8bf2596ac64b4b3c3aaed03ca8fe706b242f937e87b38ea80bb96d0ae3a8c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDD.tmp\execDos.dll

Filesize
5KB

MD5
0deb397ca1e716bb7b15e1754e52b2ac

SHA1
fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5

SHA256
720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f

SHA512
507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7

Download Submit
memory/920-58-0x0000000000000000-mapping.dmp

Download
memory/1256-63-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/2036-70-0x0000000000000000-mapping.dmp

Download