Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 16:20
Static task
static1
Behavioral task
behavioral1
Sample
3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe
Resource
win10v2004-20220901-en
General
-
Target
3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe
-
Size
73KB
-
MD5
6a7b720e2f0530aae810719ffe3b8cd3
-
SHA1
58d896e807b96e2cfbb094bd9da51fe7d1cc1c18
-
SHA256
3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4
-
SHA512
004bdc113257441b73a394720d366da337cc4d1ce3ab64d26ab66e3bc7e80499d9fc1d48112816703884f15367c6ca8b89fd5cd39e80a8f8d2e58ee9cf9406e4
-
SSDEEP
1536:oKaLOllgWF1Ho+6lLYCTLINi6bbbbxNi6bbbbi5:aLilV1HotmC/kj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1312 lifikuri.exe -
Deletes itself 1 IoCs
pid Process 1312 lifikuri.exe -
Loads dropped DLL 2 IoCs
pid Process 756 3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe 756 3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 icanhazip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 756 wrote to memory of 1312 756 3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe 28 PID 756 wrote to memory of 1312 756 3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe 28 PID 756 wrote to memory of 1312 756 3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe 28 PID 756 wrote to memory of 1312 756 3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe"C:\Users\Admin\AppData\Local\Temp\3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\lifikuri.exe"C:\Users\Admin\AppData\Local\Temp\lifikuri.exe"2⤵
- Executes dropped EXE
- Deletes itself
PID:1312
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD56732f13398763a4e959d9443c8b3a915
SHA11c6ecf2ccec67ff52cdab15be8997106f207f2c3
SHA2560e94c7d1e16328e35953e25c7fbcf2f540bf369a1c0010c369915e1c3363bfb8
SHA5128e8082a6547fab89f1fa6c29a5a396996d6bcb3aeadf228990625af502d61ff2da7c9f6c3f649b8b4bb9af0ef4d64941b0afa13c18cf88e8fc67c374230a4ddd
-
Filesize
73KB
MD56732f13398763a4e959d9443c8b3a915
SHA11c6ecf2ccec67ff52cdab15be8997106f207f2c3
SHA2560e94c7d1e16328e35953e25c7fbcf2f540bf369a1c0010c369915e1c3363bfb8
SHA5128e8082a6547fab89f1fa6c29a5a396996d6bcb3aeadf228990625af502d61ff2da7c9f6c3f649b8b4bb9af0ef4d64941b0afa13c18cf88e8fc67c374230a4ddd
-
Filesize
73KB
MD56732f13398763a4e959d9443c8b3a915
SHA11c6ecf2ccec67ff52cdab15be8997106f207f2c3
SHA2560e94c7d1e16328e35953e25c7fbcf2f540bf369a1c0010c369915e1c3363bfb8
SHA5128e8082a6547fab89f1fa6c29a5a396996d6bcb3aeadf228990625af502d61ff2da7c9f6c3f649b8b4bb9af0ef4d64941b0afa13c18cf88e8fc67c374230a4ddd
-
Filesize
73KB
MD56732f13398763a4e959d9443c8b3a915
SHA11c6ecf2ccec67ff52cdab15be8997106f207f2c3
SHA2560e94c7d1e16328e35953e25c7fbcf2f540bf369a1c0010c369915e1c3363bfb8
SHA5128e8082a6547fab89f1fa6c29a5a396996d6bcb3aeadf228990625af502d61ff2da7c9f6c3f649b8b4bb9af0ef4d64941b0afa13c18cf88e8fc67c374230a4ddd