Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:02

General

  • Target

    1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe

  • Size

    797KB

  • MD5

    a797ebe7413dda691136baa61cec61f9

  • SHA1

    9092df3087817d296857c188fe0e417df2c33789

  • SHA256

    1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

  • SHA512

    c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

  • SSDEEP

    12288:YhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aJ1d7JAMRFwCTc5zNEc5V3:ARmJkcoQricOIQxiZY1iabjsCTizNEqd

Score
10/10

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
    "C:\Users\Admin\AppData\Local\Temp\1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
      "C:\Users\Admin\AppData\Local\Temp\1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe"
      2⤵
      • Modifies firewall policy service
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\M-38593585020495849\winmgr.exe
        "C:\Users\Admin\M-38593585020495849\winmgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Users\Admin\M-38593585020495849\winmgr.exe
          "C:\Users\Admin\M-38593585020495849\winmgr.exe"
          4⤵
          • Executes dropped EXE
          PID:1448

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\m816972.rcf

    Filesize

    33KB

    MD5

    057abc70a878561a73b4166ae87748db

    SHA1

    dd21870cfc5cfe147bea8539d10d49ff5d34f929

    SHA256

    74fc5d9388ce1121f6ccd62f872662fb2a70ae5997fa92db18eaad36997a81b3

    SHA512

    e269cfbb48479c840a6dd3d707435755ac3e836cb5b6442c2ec761c6ea1cc5663cc85590784e721c6bfe0208356a974aabbbeb014585f34b98e9411b6f9da2be

  • C:\Users\Admin\M-38593585020495849\winmgr.exe

    Filesize

    797KB

    MD5

    a797ebe7413dda691136baa61cec61f9

    SHA1

    9092df3087817d296857c188fe0e417df2c33789

    SHA256

    1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

    SHA512

    c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

  • C:\Users\Admin\M-38593585020495849\winmgr.exe

    Filesize

    797KB

    MD5

    a797ebe7413dda691136baa61cec61f9

    SHA1

    9092df3087817d296857c188fe0e417df2c33789

    SHA256

    1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

    SHA512

    c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

  • C:\Users\Admin\M-38593585020495849\winmgr.exe

    Filesize

    797KB

    MD5

    a797ebe7413dda691136baa61cec61f9

    SHA1

    9092df3087817d296857c188fe0e417df2c33789

    SHA256

    1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

    SHA512

    c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

  • \Users\Admin\M-38593585020495849\winmgr.exe

    Filesize

    797KB

    MD5

    a797ebe7413dda691136baa61cec61f9

    SHA1

    9092df3087817d296857c188fe0e417df2c33789

    SHA256

    1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

    SHA512

    c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

  • memory/1448-72-0x00000000000C63B6-mapping.dmp

  • memory/1540-64-0x0000000000000000-mapping.dmp

  • memory/1964-62-0x00000000000C0000-0x00000000000CD000-memory.dmp

    Filesize

    52KB

  • memory/1964-61-0x00000000000C0000-0x00000000000CD000-memory.dmp

    Filesize

    52KB

  • memory/1964-57-0x00000000000C0000-0x00000000000CD000-memory.dmp

    Filesize

    52KB

  • memory/1964-58-0x00000000000C63B6-mapping.dmp

  • memory/1964-55-0x00000000000C0000-0x00000000000CD000-memory.dmp

    Filesize

    52KB

  • memory/2024-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

    Filesize

    8KB