Overview

overview

8

Static

static

d22d57bcf0...c2.exe

windows7-x64

8

d22d57bcf0...c2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    38s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe

  • Size

    7.7MB

  • MD5

    fd9f596b0d88024cffa94540cb837e6b

  • SHA1

    85704c78d3726ac45ff0fc9b6504873a56a8094c

  • SHA256

    d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2

  • SHA512

    47154c927ea66deef12e4f4ebbfa11e115afd9a484b2015a64f018ca9a1568b5de1692a1315b492d4f79b8721a7dfa2728a2c10a3717d6dce550e0761928b7e5

  • SSDEEP

    196608:d/p7W7CxzD/64edSppgTeFCa28Ry4SaZywpBwO3+76sdZGat4r:dx7Yw3/iSpeU3ZRjJyw7wI+71rGat4r

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe
    "C:\Users\Admin\AppData\Local\Temp\d22d57bcf039041fd0b1f0792293fae6d47f24919b147abc5ba6351a0eb6a5c2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      PID:820
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\System32\regedit.exe" /S reg.reg
        3⤵
        • Runs .reg file with regedit
        PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Download Manager\REG.reg
    Filesize

    1KB

    MD5

    b5a4d7472c0cea64a0b2f02a4c15aa5b

    SHA1

    2a1b37222568bf0571ff23248497cab0ff1b66bf

    SHA256

    570d4af82f9892fcc84c9205d38da0713a596f9fcaf944a65494ac47bdfd98f4

    SHA512

    c048c6196ea2eef0cc60f4472b71ecc7dc5f9813168c8bbfd8d5fdd013d8ad543fc802c793ba462985505d4c5b89a2cd473724cf9d4cf873a8391f0f5d90d8c5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
    Filesize

    97KB

    MD5

    4cf55abdd357a8284a5a8a4e9238541d

    SHA1

    7aaa62953f24552b1427973d72f4220715004626

    SHA256

    449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970

    SHA512

    aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
    Filesize

    97KB

    MD5

    4cf55abdd357a8284a5a8a4e9238541d

    SHA1

    7aaa62953f24552b1427973d72f4220715004626

    SHA256

    449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970

    SHA512

    aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
    Filesize

    7.4MB

    MD5

    0ccbff0f52ecfeee22366fa7c19e7cfb

    SHA1

    124f5094947e1877fc6cb7a5ffe6c750a0109061

    SHA256

    3f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15

    SHA512

    7c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
    Filesize

    7.4MB

    MD5

    0ccbff0f52ecfeee22366fa7c19e7cfb

    SHA1

    124f5094947e1877fc6cb7a5ffe6c750a0109061

    SHA256

    3f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15

    SHA512

    7c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46

    Download Submit
  • \Program Files (x86)\Internet Download Manager\IDMan.exe
    Filesize

    3.7MB

    MD5

    622e59ef2780c0751330be740af77517

    SHA1

    1579e745beb995923c5100fe78e59746c3b51d5d

    SHA256

    6d602e8cad22f647a879050e76aff7a80e77ea64bcff81c2ba0345787066a5e7

    SHA512

    60348fe4209e68d336bfdcb18ff03a9e4cd8ec1835b7420464e65c934a3a0d5bff6472b8bc20aca1d1fb48f59602312e2509f06dac7c88aba077fcd1f532a369

    Download Submit
  • \Program Files (x86)\Internet Download Manager\IDMan.exe
    Filesize

    3.7MB

    MD5

    622e59ef2780c0751330be740af77517

    SHA1

    1579e745beb995923c5100fe78e59746c3b51d5d

    SHA256

    6d602e8cad22f647a879050e76aff7a80e77ea64bcff81c2ba0345787066a5e7

    SHA512

    60348fe4209e68d336bfdcb18ff03a9e4cd8ec1835b7420464e65c934a3a0d5bff6472b8bc20aca1d1fb48f59602312e2509f06dac7c88aba077fcd1f532a369

    Download Submit
  • \Program Files (x86)\Internet Download Manager\Uninstall.exe
    Filesize

    175KB

    MD5

    6649e522ffb939aad03d70f4b5e2964d

    SHA1

    81350188dc28f6f7090ea77a0e5c4f4d275a6b81

    SHA256

    4b52f2d7c70cbdba1d2ce545beddc1d29bfa7ffd82ade6a2c35e8091d2c7148a

    SHA512

    12e194a6b634b15be1a8e2d06fe9905176e08b033aa416e3582c77d0e20b5557e2b09f9a3707913bea25977d8efbb647827a74fa9ddb8b85c42d247b665fb640

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
    Filesize

    97KB

    MD5

    4cf55abdd357a8284a5a8a4e9238541d

    SHA1

    7aaa62953f24552b1427973d72f4220715004626

    SHA256

    449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970

    SHA512

    aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
    Filesize

    97KB

    MD5

    4cf55abdd357a8284a5a8a4e9238541d

    SHA1

    7aaa62953f24552b1427973d72f4220715004626

    SHA256

    449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970

    SHA512

    aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\HOST.exe
    Filesize

    97KB

    MD5

    4cf55abdd357a8284a5a8a4e9238541d

    SHA1

    7aaa62953f24552b1427973d72f4220715004626

    SHA256

    449bad57a49cbb06d13723fd534df9223490b3c76a62fda4052d778e3335c970

    SHA512

    aaf7041d9ed9287060db7c77782e580cfb8aca5c9495c638a3128971cadf786d1b93fe0ae0f6ddde4431d6f171e9051992fa05af6091e83cdf627c91909f4978

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
    Filesize

    7.4MB

    MD5

    0ccbff0f52ecfeee22366fa7c19e7cfb

    SHA1

    124f5094947e1877fc6cb7a5ffe6c750a0109061

    SHA256

    3f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15

    SHA512

    7c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
    Filesize

    7.4MB

    MD5

    0ccbff0f52ecfeee22366fa7c19e7cfb

    SHA1

    124f5094947e1877fc6cb7a5ffe6c750a0109061

    SHA256

    3f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15

    SHA512

    7c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\IDM.exe
    Filesize

    7.4MB

    MD5

    0ccbff0f52ecfeee22366fa7c19e7cfb

    SHA1

    124f5094947e1877fc6cb7a5ffe6c750a0109061

    SHA256

    3f5564bc8e7aad593eccbdc9c4cbaf52f9c36e40c496586067f32c304c179c15

    SHA512

    7c507b6faa53fd835be2fc8d315366810b7528fd1216b1342c5358047cf49bb4a71d8520974777e655a35579af28fee2fb5e86772d033078c78af8b0d2fa3f46

    Download Submit
  • memory/684-54-0x0000000075071000-0x0000000075073000-memory.dmp
    Filesize

    8KB

    Download
  • memory/820-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1372-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-75-0x0000000002FD0000-0x0000000002FE0000-memory.dmp
    Filesize

    64KB

    Download