Overview

overview

10

Static

static

4dc72fc2c7...fd.exe

windows7-x64

10

4dc72fc2c7...fd.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    173s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4dc72fc2c7ccfd91d61848c30aac1978d329be7515740dd8436404ac9ffd63fd.exe

  • Size

    396KB

  • MD5

    3ed79716978bb09c4890a60dd74d5470

  • SHA1

    4b5232a93d4cd129f598ad0fdc93b145faee3922

  • SHA256

    4dc72fc2c7ccfd91d61848c30aac1978d329be7515740dd8436404ac9ffd63fd

  • SHA512

    0aedb190c6f0c5d18c509d57160c79a4c8aa64b5520e1a25d26e3bead94819159895bfa925cd9086f9837f96211d0d9e9bb439d6758b8a20a58a6a030ee527fd

  • SSDEEP

    6144:iX9SMLpHYi2B2plyB86ozFti/2rvpwnIrgc8SwAAwnMNSQNcDPbI/J5EJKdIxj:mL4i2YU2iu7pwQeSBAkAkiJSsY

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers system information 1 TTPs 2 IoCs

    Runs systeminfo.exe.

  • Modifies Control Panel 4 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4dc72fc2c7ccfd91d61848c30aac1978d329be7515740dd8436404ac9ffd63fd.exe
    "C:\Users\Admin\AppData\Local\Temp\4dc72fc2c7ccfd91d61848c30aac1978d329be7515740dd8436404ac9ffd63fd.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Looks for VirtualBox Guest Additions in registry
    • Adds policy Run key to start application
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Gathers system information
      • Modifies Control Panel
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1416
    • C:\Users\Admin\AppData\Local\Temp\tmp9E91.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9E91.exe" "C:\Users\Admin\AppData\Local\Temp\4dc72fc2c7ccfd91d61848c30aac1978d329be7515740dd8436404ac9ffd63fd.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      PID:432
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 >> nul
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Gathers system information
        PID:812
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.bin\S-1-5-21-2292972927-2705560509-2768824231-1000\$ast-S-1-5-21-2292972927-2705560509-2768824231-1000\6R1AC_fxTZrnTPEbL9qE5NQ-.dat
    Filesize

    130KB

    MD5

    9a58c1e5c59b2e132f6437a48c6f57da

    SHA1

    1cc03ce30f46501a903a3797cc16888d206bbe76

    SHA256

    7d6a59b5ccc1ed26fd4bf959ac6501bc933c1f588d59577bad3e417227c98958

    SHA512

    126baa308226b50283d93ae1a7e179bfe6ce908a8e3f49f193dcbc766964fe3016f342751dfeac3c8f421b22fbd76b27d9333f17fe8327e0af18e787a792a048

    Download Submit

  • C:\$Recycle.bin\S-1-5-21-2292972927-2705560509-2768824231-1000\$ast-S-1-5-21-2292972927-2705560509-2768824231-1000\CVBPTO5b02u7YlmstKdiJU4eSEw0.dat
    Filesize

    5KB

    MD5

    860d2bc03add8d26d6a86a13ef95e031

    SHA1

    a2bb80a74be26d2f05503898d66d882517c5cb1e

    SHA256

    08fddec7ecfc483ee26cf920ce5417f96a057b1c97b54f17bf7e57c91adb3121

    SHA512

    2239f3bacb305b45d3644fc5dda552a74810ad8efecf593a1c0881b88cbd4c11bcca9068aa170ba09b28e36b9a2c18f81bedc60965f86684e19849710720f9f2

    Download Submit

  • C:\$Recycle.bin\S-1-5-21-2292972927-2705560509-2768824231-1000\$ast-S-1-5-21-2292972927-2705560509-2768824231-1000\t2aepKHSmR18tMkF4lysnC_Lcl3nv.dat
    Filesize

    21KB

    MD5

    66fd620d57f7dacd0d7e142915a1fe60

    SHA1

    ccecbc5da8f4a602ad4e3ffd24c8633dc42d4ddd

    SHA256

    c9aa1710094a903b2ef60728c723b1110227ee95f4ac2856f09e941afe93b305

    SHA512

    ee88c9b6c3a45e9c9f9edb9b57b58e27f36005e18793162bc16056545159fbd9b0a4833137cd14cd64291a0026c97152597df4201028bc37e7f17d4cca41f8b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9E91.exe
    Filesize

    396KB

    MD5

    3ed79716978bb09c4890a60dd74d5470

    SHA1

    4b5232a93d4cd129f598ad0fdc93b145faee3922

    SHA256

    4dc72fc2c7ccfd91d61848c30aac1978d329be7515740dd8436404ac9ffd63fd

    SHA512

    0aedb190c6f0c5d18c509d57160c79a4c8aa64b5520e1a25d26e3bead94819159895bfa925cd9086f9837f96211d0d9e9bb439d6758b8a20a58a6a030ee527fd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
    Filesize

    130KB

    MD5

    9988683a986ce553158421b80fc6dd4e

    SHA1

    309822d248e33ea7a2147f0b80e65dbd4f171359

    SHA256

    bdfcfc7421ecdc3edc7cee24fdbf1f933278bcffc1ffca99f0c174bd149ab558

    SHA512

    bee2bbdee88f2569cf008dea728e5ea1d3c32a24421ad4c94713a87cc48c7908d197a400b14d3e798a97b1f5ddfecf3be18f431843486c55deef4ec26a6c0090

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
    Filesize

    130KB

    MD5

    9988683a986ce553158421b80fc6dd4e

    SHA1

    309822d248e33ea7a2147f0b80e65dbd4f171359

    SHA256

    bdfcfc7421ecdc3edc7cee24fdbf1f933278bcffc1ffca99f0c174bd149ab558

    SHA512

    bee2bbdee88f2569cf008dea728e5ea1d3c32a24421ad4c94713a87cc48c7908d197a400b14d3e798a97b1f5ddfecf3be18f431843486c55deef4ec26a6c0090

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
    Filesize

    130KB

    MD5

    9988683a986ce553158421b80fc6dd4e

    SHA1

    309822d248e33ea7a2147f0b80e65dbd4f171359

    SHA256

    bdfcfc7421ecdc3edc7cee24fdbf1f933278bcffc1ffca99f0c174bd149ab558

    SHA512

    bee2bbdee88f2569cf008dea728e5ea1d3c32a24421ad4c94713a87cc48c7908d197a400b14d3e798a97b1f5ddfecf3be18f431843486c55deef4ec26a6c0090

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\systeminfo.lnk
    Filesize

    1KB

    MD5

    9643dcac1f3413868023d1da26f0e2f4

    SHA1

    4c3fc0fda1abf053417a04de1341ada49f9d712a

    SHA256

    20ef382f0dd8024de10f18d3faf8d56414cc384e07c348f12a3e6e8217b021f0

    SHA512

    39156040c70e93afce092f17f6277dacb0a790c0fbb37770a281b6b875ad1aa6acfd2b0eb85a564f2692735a1aa3f5af4bd10766c454fd7feb6fc6f852c8e69d

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
    Filesize

    130KB

    MD5

    9988683a986ce553158421b80fc6dd4e

    SHA1

    309822d248e33ea7a2147f0b80e65dbd4f171359

    SHA256

    bdfcfc7421ecdc3edc7cee24fdbf1f933278bcffc1ffca99f0c174bd149ab558

    SHA512

    bee2bbdee88f2569cf008dea728e5ea1d3c32a24421ad4c94713a87cc48c7908d197a400b14d3e798a97b1f5ddfecf3be18f431843486c55deef4ec26a6c0090

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
    Filesize

    130KB

    MD5

    9988683a986ce553158421b80fc6dd4e

    SHA1

    309822d248e33ea7a2147f0b80e65dbd4f171359

    SHA256

    bdfcfc7421ecdc3edc7cee24fdbf1f933278bcffc1ffca99f0c174bd149ab558

    SHA512

    bee2bbdee88f2569cf008dea728e5ea1d3c32a24421ad4c94713a87cc48c7908d197a400b14d3e798a97b1f5ddfecf3be18f431843486c55deef4ec26a6c0090

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
    Filesize

    130KB

    MD5

    9988683a986ce553158421b80fc6dd4e

    SHA1

    309822d248e33ea7a2147f0b80e65dbd4f171359

    SHA256

    bdfcfc7421ecdc3edc7cee24fdbf1f933278bcffc1ffca99f0c174bd149ab558

    SHA512

    bee2bbdee88f2569cf008dea728e5ea1d3c32a24421ad4c94713a87cc48c7908d197a400b14d3e798a97b1f5ddfecf3be18f431843486c55deef4ec26a6c0090

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
    Filesize

    130KB

    MD5

    9988683a986ce553158421b80fc6dd4e

    SHA1

    309822d248e33ea7a2147f0b80e65dbd4f171359

    SHA256

    bdfcfc7421ecdc3edc7cee24fdbf1f933278bcffc1ffca99f0c174bd149ab558

    SHA512

    bee2bbdee88f2569cf008dea728e5ea1d3c32a24421ad4c94713a87cc48c7908d197a400b14d3e798a97b1f5ddfecf3be18f431843486c55deef4ec26a6c0090

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\systeminfo.exe
    Filesize

    130KB

    MD5

    9988683a986ce553158421b80fc6dd4e

    SHA1

    309822d248e33ea7a2147f0b80e65dbd4f171359

    SHA256

    bdfcfc7421ecdc3edc7cee24fdbf1f933278bcffc1ffca99f0c174bd149ab558

    SHA512

    bee2bbdee88f2569cf008dea728e5ea1d3c32a24421ad4c94713a87cc48c7908d197a400b14d3e798a97b1f5ddfecf3be18f431843486c55deef4ec26a6c0090

    Download Submit

  • memory/432-79-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/432-70-0x0000000000000000-mapping.dmp

    Download

  • memory/812-75-0x0000000000000000-mapping.dmp

    Download

  • memory/1072-72-0x0000000000000000-mapping.dmp

    Download

  • memory/1284-68-0x0000000002950000-0x0000000002975000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1416-69-0x0000000000840000-0x000000000084B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1416-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1416-64-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1416-80-0x0000000000840000-0x000000000084B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1612-77-0x0000000000000000-mapping.dmp

    Download

  • memory/1688-73-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1688-55-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1688-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download