9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4

Analysis

max time kernel
164s
max time network
178s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe
Size

4.5MB
MD5

2c71e79a25ceb77504ca193f6fa10e47
SHA1

8de02eb3770795392835942a460c14b978a668e5
SHA256

9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4
SHA512

4a0c6233031e41410da3e748def92acbb3df7e7d613282be6665af2beaead7cae51d98224d1187498e98a9c151844924cc05d0c96a8d5bec47b1f58fb8861599
SSDEEP

98304:F1KT+V8PzZwUGkHB9zgdDGkMOAwkDv0uHkr2O:WZbZwjknaiOAw60uHrO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Bundle.exeBundle.exe

pid process

916 Bundle.exe
1652 Bundle.exe

pid	process
916	Bundle.exe
1652	Bundle.exe

Loads dropped DLL 2 IoCs

Processes:

9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe

pid	process
1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe
1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe

description	pid	process	target process
PID 1688 wrote to memory of 916	1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe	Bundle.exe
PID 1688 wrote to memory of 916	1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe	Bundle.exe
PID 1688 wrote to memory of 916	1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe	Bundle.exe
PID 1688 wrote to memory of 916	1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe	Bundle.exe
PID 1688 wrote to memory of 1652	1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe	Bundle.exe
PID 1688 wrote to memory of 1652	1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe	Bundle.exe
PID 1688 wrote to memory of 1652	1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe	Bundle.exe
PID 1688 wrote to memory of 1652	1688	9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe	Bundle.exe

C:\Users\Admin\AppData\Local\Temp\9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe
"C:\Users\Admin\AppData\Local\Temp\9139caa5dcf6a0fb57fc25e9c1f7b09f6e58facb851b669f46cbbb169f731fc4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\Bundle.exe
"C:\Users\Admin\AppData\Local\Temp\Bundle.exe" /s /t /i ElectroLyrics /u http://www.practicaldownload.com/index.php /ta
2⤵
- Executes dropped EXE
PID:916

C:\Users\Admin\AppData\Local\Temp\Bundle.exe
"C:\Users\Admin\AppData\Local\Temp\Bundle.exe" /s /t /i Yontoo1 /u http://www.practicaldownload.com/index.php /ta
2⤵
- Executes dropped EXE
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bundle.exe

Filesize
304KB

MD5
dde7ff14407dd4ea62f9b513f927efb5

SHA1
d14973a87491a54dbfa611a4083edbc701f89ee6

SHA256
2c69d3350203f1aa4c99848a097cf428fa6d748d28fb291a166710f78d6dd7d2

SHA512
8663ba9a9f145767b1f0b6f34a096a41c2ea2d2d6feed3b644b496e26d59e6b622adc13c31d76c281b0352e6230d44cd6e8d2b009b94ab3d03b55e7852792d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bundle.exe

Filesize
304KB

MD5
dde7ff14407dd4ea62f9b513f927efb5

SHA1
d14973a87491a54dbfa611a4083edbc701f89ee6

SHA256
2c69d3350203f1aa4c99848a097cf428fa6d748d28fb291a166710f78d6dd7d2

SHA512
8663ba9a9f145767b1f0b6f34a096a41c2ea2d2d6feed3b644b496e26d59e6b622adc13c31d76c281b0352e6230d44cd6e8d2b009b94ab3d03b55e7852792d58

Download Submit
\Users\Admin\AppData\Local\Temp\Bundle.exe

Filesize
304KB

MD5
dde7ff14407dd4ea62f9b513f927efb5

SHA1
d14973a87491a54dbfa611a4083edbc701f89ee6

SHA256
2c69d3350203f1aa4c99848a097cf428fa6d748d28fb291a166710f78d6dd7d2

SHA512
8663ba9a9f145767b1f0b6f34a096a41c2ea2d2d6feed3b644b496e26d59e6b622adc13c31d76c281b0352e6230d44cd6e8d2b009b94ab3d03b55e7852792d58

Download Submit
\Users\Admin\AppData\Local\Temp\Bundle.exe

Filesize
304KB

MD5
dde7ff14407dd4ea62f9b513f927efb5

SHA1
d14973a87491a54dbfa611a4083edbc701f89ee6

SHA256
2c69d3350203f1aa4c99848a097cf428fa6d748d28fb291a166710f78d6dd7d2

SHA512
8663ba9a9f145767b1f0b6f34a096a41c2ea2d2d6feed3b644b496e26d59e6b622adc13c31d76c281b0352e6230d44cd6e8d2b009b94ab3d03b55e7852792d58

Download Submit
memory/916-58-0x0000000000000000-mapping.dmp

Download
memory/1652-62-0x0000000000000000-mapping.dmp

Download
memory/1688-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1688-55-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-56-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-65-0x0000000000556000-0x0000000000567000-memory.dmp

Filesize
68KB

Download