6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2

Analysis

max time kernel
185s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe
Size

1.1MB
MD5

0e7ab98006c3202d5f59d5028ea70cb7
SHA1

d42de39d28bb621e229b0366dc38408e174e59a6
SHA256

6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2
SHA512

0ec8b02ba2b82530d3b85af42d1bea6abce45f649fbd5956c5276e988787ae9914777f2a5b027c7529e7014171ebc80b1d95560a0712a8a854a661785e019195
SSDEEP

24576:wW0peow6/GmPN760aABzSbE0nc4v2o6IsQPTYDIH17GwoYC:CTbVSrz6nWH1GPp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1840	search.cmd

Deletes itself 1 IoCs

pid	Process
1128	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe

Loads dropped DLL 2 IoCs

pid	Process
1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe
1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1840	search.cmd

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1840	1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe	27
PID 1352 wrote to memory of 1840	1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe	27
PID 1352 wrote to memory of 1840	1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe	27
PID 1352 wrote to memory of 1840	1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe	27
PID 1352 wrote to memory of 1128	1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe	28
PID 1352 wrote to memory of 1128	1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe	28
PID 1352 wrote to memory of 1128	1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe	28
PID 1352 wrote to memory of 1128	1352	6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe	28

C:\Users\Admin\AppData\Local\Temp\6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe
"C:\Users\Admin\AppData\Local\Temp\6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del c:\users\admin\appdata\local\temp\6735D3~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd

Filesize
1.1MB

MD5
0e7ab98006c3202d5f59d5028ea70cb7

SHA1
d42de39d28bb621e229b0366dc38408e174e59a6

SHA256
6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2

SHA512
0ec8b02ba2b82530d3b85af42d1bea6abce45f649fbd5956c5276e988787ae9914777f2a5b027c7529e7014171ebc80b1d95560a0712a8a854a661785e019195

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd

Filesize
1.1MB

MD5
0e7ab98006c3202d5f59d5028ea70cb7

SHA1
d42de39d28bb621e229b0366dc38408e174e59a6

SHA256
6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2

SHA512
0ec8b02ba2b82530d3b85af42d1bea6abce45f649fbd5956c5276e988787ae9914777f2a5b027c7529e7014171ebc80b1d95560a0712a8a854a661785e019195

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd

Filesize
1.1MB

MD5
0e7ab98006c3202d5f59d5028ea70cb7

SHA1
d42de39d28bb621e229b0366dc38408e174e59a6

SHA256
6735d3c15251c8d68bbe0bcc254347b5571f19e973886bed52da9b01dd2cc7e2

SHA512
0ec8b02ba2b82530d3b85af42d1bea6abce45f649fbd5956c5276e988787ae9914777f2a5b027c7529e7014171ebc80b1d95560a0712a8a854a661785e019195

Download Submit
memory/1128-60-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1840-57-0x0000000000000000-mapping.dmp

Download