Overview

overview

8

Static

static

a37b876975...ac.exe

windows7-x64

8

a37b876975...ac.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    42s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe

  • Size

    1.3MB

  • MD5

    cb90a2e16248a527f6cc7205ed3624bf

  • SHA1

    9499e4d7c56caf13dc1c659d0d21f74ebca57225

  • SHA256

    a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac

  • SHA512

    afada5ed5f801d350a75fbd5e178ffb805e32b4688107ab04e88c65e84e61fdaae56d60a23e0726afa443fae2efc6f39cd93479788a661a596ce207f14118e2f

  • SSDEEP

    24576:UhQMSJvM7f824i1mRsWLP9wKn9gNg19rjgtB:m/xssWDaIamlgtB

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe
    "C:\Users\Admin\AppData\Local\Temp\a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Roamingflash_player_plugin.exe
      "C:\Users\Admin\AppData\Roamingflash_player_plugin.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roamingflash_player_plugin.exe
    Filesize

    1.0MB

    MD5

    05bd5ac2baf0abbce24deb916d0fb79c

    SHA1

    7070263d9c43c80b1b1f997268be72926cc0dc98

    SHA256

    f9f2e632535b214a0fab376b32cbee1cab6507490c22ba9e12cfa417ed8d72bb

    SHA512

    68837d7e5ccb97ec412c851660752f2aa45af5e4b0e09adcbea05aa3f95330813575c2e5c1c1b683820967e410725d120939b7498e578362f3c5a722655c5964

    Download Submit
  • C:\Users\Admin\AppData\Roamingflash_player_plugin.exe
    Filesize

    1.0MB

    MD5

    05bd5ac2baf0abbce24deb916d0fb79c

    SHA1

    7070263d9c43c80b1b1f997268be72926cc0dc98

    SHA256

    f9f2e632535b214a0fab376b32cbee1cab6507490c22ba9e12cfa417ed8d72bb

    SHA512

    68837d7e5ccb97ec412c851660752f2aa45af5e4b0e09adcbea05aa3f95330813575c2e5c1c1b683820967e410725d120939b7498e578362f3c5a722655c5964

    Download Submit
  • memory/992-57-0x0000000000000000-mapping.dmp
    Download
  • memory/992-59-0x0000000075E31000-0x0000000075E33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/992-62-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

    Download
  • memory/992-63-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

    Download
  • memory/992-64-0x0000000000400000-0x00000000004B4000-memory.dmp
    Filesize

    720KB

    Download
  • memory/1676-54-0x000007FEF4E60000-0x000007FEF5883000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1676-55-0x000007FEF3B80000-0x000007FEF4C16000-memory.dmp
    Filesize

    16.6MB

    Download
  • memory/1676-56-0x0000000000B86000-0x0000000000BA5000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1676-60-0x0000000000B86000-0x0000000000BA5000-memory.dmp
    Filesize

    124KB

    Download