Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
Resource
win10v2004-20220812-en
General
-
Target
55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
-
Size
1.0MB
-
MD5
874b7631e1db0c41e25a1d972509c2a8
-
SHA1
1fae4e0ae24f927b64fa1c482b2fa79d33fa7a3c
-
SHA256
55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56
-
SHA512
93abcdaf6c6bc3b3b3cc10d6b6196d4c4a1a08ad07685339fd9dc5eee49aa381715ee8e0f9c0fece5194165f151e0eae5e0db249607fdac4eb6694234471393d
-
SSDEEP
24576:E4lavt0LkLL9IMixoEgeadpF6Mm3Jd3eWq9MmCS:Tkwkn9IMHeadpFbm3JNPaPCS
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2264 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exepid process 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exepid process 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.execmd.exedescription pid process target process PID 4644 wrote to memory of 2264 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe rundll32.exe PID 4644 wrote to memory of 2264 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe rundll32.exe PID 4644 wrote to memory of 2264 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe rundll32.exe PID 4644 wrote to memory of 4628 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe cmd.exe PID 4644 wrote to memory of 4628 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe cmd.exe PID 4644 wrote to memory of 4628 4644 55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe cmd.exe PID 4628 wrote to memory of 4508 4628 cmd.exe PING.EXE PID 4628 wrote to memory of 4508 4628 cmd.exe PING.EXE PID 4628 wrote to memory of 4508 4628 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe"C:\Users\Admin\AppData\Local\Temp\55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\windows\temp\msvcp90u.dll,rdl2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Tempscratch.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 0127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Tempscratch.batFilesize
322B
MD5202c240b0525490d56aae8f010017557
SHA16cd4d9ac27ef7f157154d6a46aad3f241e8791db
SHA2563e8db04270135e058ce34e38451c54bca274718559c70f9ee6ccbb97521d5160
SHA5127fc4d021e7a973e16215b5a7283adcfee7fea0bd338bdfa04554a020bc776bcc6efaa7301dad89df442c10a2446bf3c46a9e81da4fd8972a12dd6b2e55a32ad0
-
C:\Windows\Temp\msvcp90u.dllFilesize
330KB
MD5169197c84154d58f9eee82052e1b8ee8
SHA1474a0171bbffefb9490e280e58747fa97895a17d
SHA256f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19
SHA51282f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d
-
\??\c:\windows\temp\msvcp90u.dllFilesize
330KB
MD5169197c84154d58f9eee82052e1b8ee8
SHA1474a0171bbffefb9490e280e58747fa97895a17d
SHA256f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19
SHA51282f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d
-
memory/2264-132-0x0000000000000000-mapping.dmp
-
memory/4508-136-0x0000000000000000-mapping.dmp
-
memory/4628-133-0x0000000000000000-mapping.dmp