Analysis

  • max time kernel
    131s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:52

General

  • Target

    2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe

  • Size

    18KB

  • MD5

    8dcafbce7a944df17e8257eaa3dc7e99

  • SHA1

    2b1ff918a5611abbc21638b8334f399984e468cd

  • SHA256

    2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6

  • SHA512

    5e16962074dbdcb4ba3c16fd6fa9a9324832dc38fb7efd2b5fd8df087b4f100ad2b21149e56535c5624af41e047eab840e8683bf9ee11f21be4cda9bba765a2f

  • SSDEEP

    192:KSY39YVDBpWvsmYaaBIyFE2vO0c93ymCzyLq1oynR61miLE3epar8Rd/:C39YVDLnmY1RTQ938zQq1+wiL8e68Rd

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe
    "C:\Users\Admin\AppData\Local\Temp\2a46f751b86df95b5f740d4e0b3129d26b6323bb9afe6a1707519ce2bb90e5e6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\pycwq.exe
      "C:\Users\Admin\AppData\Local\Temp\pycwq.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Modifies system certificate store
      PID:1600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pycwq.exe

    Filesize

    18KB

    MD5

    2789ee4f393557184b5790214cdd7d64

    SHA1

    4d9f739b3edcb2654ba2defe72b677533c43f6b2

    SHA256

    6bfcc1ee7ee701107fdef87c08eedfa3d65ad6e0706adf311e518330f6468da8

    SHA512

    fc354ed4566896331a5956a4d7c9f945389a778bbab50ba96d669fead7de81570f625bb8ac8043f76e6cc4a71e801dc0ccf171b5720dacdccafc1e7f2b6acd3d

  • C:\Users\Admin\AppData\Local\Temp\pycwq.exe

    Filesize

    18KB

    MD5

    2789ee4f393557184b5790214cdd7d64

    SHA1

    4d9f739b3edcb2654ba2defe72b677533c43f6b2

    SHA256

    6bfcc1ee7ee701107fdef87c08eedfa3d65ad6e0706adf311e518330f6468da8

    SHA512

    fc354ed4566896331a5956a4d7c9f945389a778bbab50ba96d669fead7de81570f625bb8ac8043f76e6cc4a71e801dc0ccf171b5720dacdccafc1e7f2b6acd3d

  • \Users\Admin\AppData\Local\Temp\pycwq.exe

    Filesize

    18KB

    MD5

    2789ee4f393557184b5790214cdd7d64

    SHA1

    4d9f739b3edcb2654ba2defe72b677533c43f6b2

    SHA256

    6bfcc1ee7ee701107fdef87c08eedfa3d65ad6e0706adf311e518330f6468da8

    SHA512

    fc354ed4566896331a5956a4d7c9f945389a778bbab50ba96d669fead7de81570f625bb8ac8043f76e6cc4a71e801dc0ccf171b5720dacdccafc1e7f2b6acd3d

  • memory/1096-54-0x0000000075211000-0x0000000075213000-memory.dmp

    Filesize

    8KB

  • memory/1096-58-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/1600-56-0x0000000000000000-mapping.dmp

  • memory/1600-61-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB