Overview

overview

5

Static

static

444897dae1...ff.exe

windows7-x64

3

444897dae1...ff.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    32s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe

  • Size

    2.3MB

  • MD5

    5ed88fad3c9cba43fab260017c002a3a

  • SHA1

    a6e3d5022693e25cf6d1a44d5aa685edcc658565

  • SHA256

    444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff

  • SHA512

    09fe08f8708b75e3c512eb297d31328010bda1e6196a2ba9783d761bcf7bdbf4f3d56852a4821a43690278da743712cdd9ce2a7b4882168dd6425cc1d482d7cb

  • SSDEEP

    49152:Ac//////ZTHtW5p3Jtwc54TmLL4vJrKJYib++a0DLxZ4oGdmzs4obqacIuGJ:Ac//////BtW5VJtwS4aEvMfD9MLvbqcp

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe
    "C:\Users\Admin\AppData\Local\Temp\444897dae1910c2990675c2e108930cd5d202956fb3f271bf143d9eb5d41d9ff.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\fcaiai726.rar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\fcaiai726.rar
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\fcaiai726.rar"
          4⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:1812
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\tj1.rar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tj1.rar
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\tj1.rar"
          4⤵
            PID:2040

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\fcaiai726.rar
      Filesize

      2.1MB

      MD5

      bed563288455753b23cb98ca314cfc39

      SHA1

      7552c8e2b65b80fbf0fc55c92783fd34299fa558

      SHA256

      f12f8e2cca7e583acffeac7310040b9a11fe711ae539d1a1f8df1bae4bc5fb5c

      SHA512

      bb995a121bbbc65b817f842cc397dc3bd056e4a0f62ce3b7148620049577e515bf728ba3bcc75fadba1c4364a89c47f92db391091bad26718f1887b5c5b2a0cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tj1.rar
      Filesize

      183KB

      MD5

      3e16b53769e7f850368d0911ab499432

      SHA1

      4ca5e3e95818468782ba09c6accfd12ccbf443e4

      SHA256

      676547166f2dc0fe106e28e996fe099aad1efb72d5c03750f41a60115cf5a043

      SHA512

      554f01e0d885f4149cac25fb912ec6482c316e2f9aefb45afe31eb874489f2ca53d6556062649e14e4d23f84714a644d72196585f1c6b23e7a92c50c85c81fdb

      Download Submit
    • memory/528-54-0x0000000000000000-mapping.dmp
      Download
    • memory/852-55-0x0000000000000000-mapping.dmp
      Download
    • memory/852-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1788-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1812-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1812-63-0x000007FEFC201000-0x000007FEFC203000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1972-58-0x0000000000000000-mapping.dmp
      Download
    • memory/2040-65-0x0000000000000000-mapping.dmp
      Download