Overview

overview

8

Static

static

07a7daa188...d6.exe

windows7-x64

8

07a7daa188...d6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

  • Size

    97KB

  • MD5

    e3224603fe2aaaec7a274c5d55252a04

  • SHA1

    8e815fc7e307485fa34e12f4f8e408bb10ea23dd

  • SHA256

    07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6

  • SHA512

    f01581ffebbde05c11de55d500b41c6129bbaa1134bbb22869ed160c9883cc40f2d9513b58e4fc5380ab05b73791477e9c496f499ca7b35ecbe928d7cda69fda

  • SSDEEP

    1536:Q2QVxKF03OXuK9s7/sEguuULsN3rhZurqODNrrQYey6iexQ1q2rTAmjq8cMGL:DYjyuKWgEgQIhCDnQY8nxQ1BrUSqVMM

Score
8/10
persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
    "C:\Users\Admin\AppData\Local\Temp\07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Sets service image path in registry
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7de07151.bat" "
      2⤵
      • Deletes itself
      PID:1968
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
    1⤵
      PID:1076
    • C:\Windows\SysWOW64\Svchost.exe
      C:\Windows\SysWOW64\Svchost.exe -k netsvcs
      1⤵
      • Loads dropped DLL
      PID:968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7de07151.bat
      Filesize

      303B

      MD5

      fa132c11f675fd5f0eb2997d5bc4d731

      SHA1

      76239ca477b5c0b82eb968e66e45cb79b7ff52f1

      SHA256

      0297daad1162f867e81d0591f31b1da7a151a2faa24f6b786948f99934f7753c

      SHA512

      639c20e680e3a52e12193dc837b8de1e25c5cdf877009450d1a2e36e852a02da8bacf84fd25653d4a478b75b6ad439e86cfe6631a972decbe97d02536ffc02a2

      Download Submit

    • \??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll
      Filesize

      25KB

      MD5

      622c4fc2bc6cbd965329dd0e2b5b24db

      SHA1

      0610310c0cc7e4005fdcf7d69b9810700efd7e19

      SHA256

      11399043af5c2bd53b60e05c8e37fd3711d1086d5a0b658dd26ebd57498aacae

      SHA512

      b43c4f5a593ff9bd8d9490d2d23c8fb9f4c5117532ac73ee3335a6f3ab8b2ce3ceb843418a0b2e5e69c13a5bb2a575502ff2ba56a1f49baeeecddfb029c81cf5

      Download Submit

    • \Windows\SysWOW64\282D0550.tmp
      Filesize

      97KB

      MD5

      29f006f8d94ee46b43a05a389e1f3542

      SHA1

      73dd0d83b50613cf9b047663d4e873497896757c

      SHA256

      575e7be81c211b16af677ab42039a58c2c17370912531719414d120219f2fa9b

      SHA512

      77196e6962d4374a455290bc4d3264aac34639c142ee9d3d30092de0169073173e8fc28614af01d631b1595ad4dea45450d8ff0aad47f1e180e35ac772623fd9

      Download Submit

    • \Windows\SysWOW64\FastUserSwitchingCompatibility.dll
      Filesize

      25KB

      MD5

      622c4fc2bc6cbd965329dd0e2b5b24db

      SHA1

      0610310c0cc7e4005fdcf7d69b9810700efd7e19

      SHA256

      11399043af5c2bd53b60e05c8e37fd3711d1086d5a0b658dd26ebd57498aacae

      SHA512

      b43c4f5a593ff9bd8d9490d2d23c8fb9f4c5117532ac73ee3335a6f3ab8b2ce3ceb843418a0b2e5e69c13a5bb2a575502ff2ba56a1f49baeeecddfb029c81cf5

      Download Submit

    • memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1940-56-0x0000000001F90000-0x0000000005F90000-memory.dmp

      Filesize

      64.0MB

      Download

    • memory/1940-57-0x0000000075920000-0x0000000075980000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1940-58-0x0000000001F90000-0x0000000005F90000-memory.dmp

      Filesize

      64.0MB

      Download

    • memory/1940-63-0x0000000075920000-0x0000000075980000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1968-59-0x0000000000000000-mapping.dmp

      Download