Analysis

  • max time kernel
    172s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2022 15:25

General

  • Target

    62bfa3fad284bdcd92ea6d87932a9f827803eaa53034c5decf528fa82ea8f992.exe

  • Size

    188KB

  • MD5

    091188fd291def1cab1e90c4cfc305f0

  • SHA1

    3f63b8d8cde9e38edc1c6de0883110be3897669c

  • SHA256

    62bfa3fad284bdcd92ea6d87932a9f827803eaa53034c5decf528fa82ea8f992

  • SHA512

    4afd63403cca6b0095f7a34d1810b5f2a5454b8467808f5e2ab6cf4b9c6540d78baf01ef01202e5ada51f52dacc505aa449fd5ad0fec9efec36900d0b6877b80

  • SSDEEP

    3072:6j42OHQqQ7b4zxMJsSmJ6nTQFlKRilqoq6v/i:RkqM4zk0cqfMoty

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62bfa3fad284bdcd92ea6d87932a9f827803eaa53034c5decf528fa82ea8f992.exe
    "C:\Users\Admin\AppData\Local\Temp\62bfa3fad284bdcd92ea6d87932a9f827803eaa53034c5decf528fa82ea8f992.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\soelou.exe
      "C:\Users\Admin\soelou.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1380

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\soelou.exe

    Filesize

    188KB

    MD5

    784d035356409aeac51e9e09d78c9a7a

    SHA1

    24263f449a247da322763e4db37eea50ee8bfd18

    SHA256

    061d5f0347010f28cf94eeaaca87fbc4f07fd2067d6c30ce87ac0f71e8bc5245

    SHA512

    01c3c8be973cc67097e89a0edc9875b786066727f07c6cce0f91044f36d25d4bb73dba80727284d49c87befa2433625aea09a4914042534f279761ec8eb8fda1

  • C:\Users\Admin\soelou.exe

    Filesize

    188KB

    MD5

    784d035356409aeac51e9e09d78c9a7a

    SHA1

    24263f449a247da322763e4db37eea50ee8bfd18

    SHA256

    061d5f0347010f28cf94eeaaca87fbc4f07fd2067d6c30ce87ac0f71e8bc5245

    SHA512

    01c3c8be973cc67097e89a0edc9875b786066727f07c6cce0f91044f36d25d4bb73dba80727284d49c87befa2433625aea09a4914042534f279761ec8eb8fda1

  • \Users\Admin\soelou.exe

    Filesize

    188KB

    MD5

    784d035356409aeac51e9e09d78c9a7a

    SHA1

    24263f449a247da322763e4db37eea50ee8bfd18

    SHA256

    061d5f0347010f28cf94eeaaca87fbc4f07fd2067d6c30ce87ac0f71e8bc5245

    SHA512

    01c3c8be973cc67097e89a0edc9875b786066727f07c6cce0f91044f36d25d4bb73dba80727284d49c87befa2433625aea09a4914042534f279761ec8eb8fda1

  • \Users\Admin\soelou.exe

    Filesize

    188KB

    MD5

    784d035356409aeac51e9e09d78c9a7a

    SHA1

    24263f449a247da322763e4db37eea50ee8bfd18

    SHA256

    061d5f0347010f28cf94eeaaca87fbc4f07fd2067d6c30ce87ac0f71e8bc5245

    SHA512

    01c3c8be973cc67097e89a0edc9875b786066727f07c6cce0f91044f36d25d4bb73dba80727284d49c87befa2433625aea09a4914042534f279761ec8eb8fda1

  • memory/1196-56-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

    Filesize

    8KB