d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650

Analysis

max time kernel
185s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
Size

17.9MB
MD5

032df0f1f2ba47bd9309a254fbe6db4e
SHA1

fab9480bfd9d21bfb384824d2a6b2b6c14609287
SHA256

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650
SHA512

9da4762c5b3d584eaba18757e3e6b95ffa9b798ac929f6af1995f359869931f580fc6f6b776fed4215cfc8c407d3f4c2231f0c29d63b8d858ac5aba9b0ddb094
SSDEEP

393216:MnSIndpOjO2hEEvEhGGtR2pdbHuu29m5Ika2Cm+aY2mZcfHMEpTc5PfEKCoTBMw8:MSupQpvCL2pJHuf9bkJCm+asEpT2PNCT

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

pid	process
516	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
516	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

Drops file in Program Files directory 3 IoCs

Processes:

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

description	ioc	process
File created	C:\Program Files (x86)\qq\qq.ico	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
File created	C:\Program Files (x86)\qq\qq.t	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
File created	C:\Program Files (x86)\qq\ÌÚÑ¶QQ.lnk	d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

pid process

516 d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

pid process

516 d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe

C:\Users\Admin\AppData\Local\Temp\d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe
"C:\Users\Admin\AppData\Local\Temp\d6e5ddfae52cb68faca663583368ee7c796f4bc5b25757a951f91de6ad1f6650.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:516

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyFFE3.tmp\BrandingURL.dll
Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFFE3.tmp\InstallOptions.dll
Filesize
14KB

MD5
107737e3282fefd85684f2fa3df6d1c3

SHA1
3befbcae116a644ae28cebdc1d7dfe6be5c8ca5f

SHA256
21042be362d4073053bffcc90511b3ecf77902243525b56bb159581b5ece43a0

SHA512
439ac2f3066902e08d63dc3061f55063089857e765feb29fe47ba5819a9bebdff3fe2fe55fc8bfcfddb729d340f006ee95b5aa4422d712f9dcc07cc02ec410b4

Download Submit
memory/516-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/516-55-0x0000000073E51000-0x0000000073E53000-memory.dmp

Filesize
8KB

Download