Overview

overview

9

Static

static

d5bccc9160...bf.exe

windows7-x64

9

d5bccc9160...bf.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    218s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5bccc9160adad0a89c05396837144e542f975c72a39cf94be27e5393a7101bf.exe

  • Size

    148KB

  • MD5

    7c2943a27fa8a7eb008f23a012e2417a

  • SHA1

    5a13018bdd5578367841091d7d438dd825cb76c5

  • SHA256

    d5bccc9160adad0a89c05396837144e542f975c72a39cf94be27e5393a7101bf

  • SHA512

    d8293cdf5a2c293b4be3b84596fa5144becb536c746024e9073f01afc37c27b8d4ec5bc4057fa85c7ad4fea3a2a21d17377b3247666c1fc9c29bf1ba20fea0d8

  • SSDEEP

    1536:CpRZDY5HmunFKtcDrNoLiD3Fvvow149Tlj5CjEhBQ79aXNJ8PcO1zcA7GCBjv4BE:qvY53r9DFHN149d5CgBQJadJXOh7j0E

Score
9/10
persistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5bccc9160adad0a89c05396837144e542f975c72a39cf94be27e5393a7101bf.exe
    "C:\Users\Admin\AppData\Local\Temp\d5bccc9160adad0a89c05396837144e542f975c72a39cf94be27e5393a7101bf.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\syswow64\explorer.exe
      "C:\Windows\syswow64\explorer.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\syswow64\svchost.exe
        -k netsvcs
        3⤵
          PID:568
        • C:\Windows\syswow64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          3⤵
          • Interacts with shadow copies
          PID:536

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/536-62-0x0000000000000000-mapping.dmp

      Download

    • memory/568-61-0x0000000000000000-mapping.dmp

      Download

    • memory/568-64-0x0000000000080000-0x00000000000A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1168-56-0x0000000000000000-mapping.dmp

      Download

    • memory/1168-58-0x00000000757E1000-0x00000000757E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1168-59-0x00000000749E1000-0x00000000749E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1168-60-0x0000000000080000-0x00000000000A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1820-54-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1820-57-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download