3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4

Analysis

max time kernel
135s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe
Size

73KB
MD5

6a7b720e2f0530aae810719ffe3b8cd3
SHA1

58d896e807b96e2cfbb094bd9da51fe7d1cc1c18
SHA256

3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4
SHA512

004bdc113257441b73a394720d366da337cc4d1ce3ab64d26ab66e3bc7e80499d9fc1d48112816703884f15367c6ca8b89fd5cd39e80a8f8d2e58ee9cf9406e4
SSDEEP

1536:oKaLOllgWF1Ho+6lLYCTLINi6bbbbxNi6bbbbi5:aLilV1HotmC/kj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1312	lifikuri.exe

Deletes itself 1 IoCs

pid	Process
1312	lifikuri.exe

Loads dropped DLL 2 IoCs

pid	Process
756	3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe
756	3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1312	756	3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe	28
PID 756 wrote to memory of 1312	756	3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe	28
PID 756 wrote to memory of 1312	756	3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe	28
PID 756 wrote to memory of 1312	756	3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe	28

C:\Users\Admin\AppData\Local\Temp\3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe
"C:\Users\Admin\AppData\Local\Temp\3cc9785e2e09c0e95c15c1d3ed3188db60db57e448bdd635d1d49071df33c5c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\lifikuri.exe
  "C:\Users\Admin\AppData\Local\Temp\lifikuri.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lifikuri.exe

Filesize
73KB

MD5
6732f13398763a4e959d9443c8b3a915

SHA1
1c6ecf2ccec67ff52cdab15be8997106f207f2c3

SHA256
0e94c7d1e16328e35953e25c7fbcf2f540bf369a1c0010c369915e1c3363bfb8

SHA512
8e8082a6547fab89f1fa6c29a5a396996d6bcb3aeadf228990625af502d61ff2da7c9f6c3f649b8b4bb9af0ef4d64941b0afa13c18cf88e8fc67c374230a4ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lifikuri.exe

Filesize
73KB

MD5
6732f13398763a4e959d9443c8b3a915

SHA1
1c6ecf2ccec67ff52cdab15be8997106f207f2c3

SHA256
0e94c7d1e16328e35953e25c7fbcf2f540bf369a1c0010c369915e1c3363bfb8

SHA512
8e8082a6547fab89f1fa6c29a5a396996d6bcb3aeadf228990625af502d61ff2da7c9f6c3f649b8b4bb9af0ef4d64941b0afa13c18cf88e8fc67c374230a4ddd

Download Submit
\Users\Admin\AppData\Local\Temp\lifikuri.exe

Filesize
73KB

MD5
6732f13398763a4e959d9443c8b3a915

SHA1
1c6ecf2ccec67ff52cdab15be8997106f207f2c3

SHA256
0e94c7d1e16328e35953e25c7fbcf2f540bf369a1c0010c369915e1c3363bfb8

SHA512
8e8082a6547fab89f1fa6c29a5a396996d6bcb3aeadf228990625af502d61ff2da7c9f6c3f649b8b4bb9af0ef4d64941b0afa13c18cf88e8fc67c374230a4ddd

Download Submit
\Users\Admin\AppData\Local\Temp\lifikuri.exe

Filesize
73KB

MD5
6732f13398763a4e959d9443c8b3a915

SHA1
1c6ecf2ccec67ff52cdab15be8997106f207f2c3

SHA256
0e94c7d1e16328e35953e25c7fbcf2f540bf369a1c0010c369915e1c3363bfb8

SHA512
8e8082a6547fab89f1fa6c29a5a396996d6bcb3aeadf228990625af502d61ff2da7c9f6c3f649b8b4bb9af0ef4d64941b0afa13c18cf88e8fc67c374230a4ddd

Download Submit
memory/756-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/756-55-0x00000000005C0000-0x00000000005E5000-memory.dmp

Filesize
148KB

Download
memory/756-56-0x0000000000400000-0x00000000004243F0-memory.dmp

Filesize
144KB

Download