Analysis
-
max time kernel
178s -
max time network
240s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:34
Static task
static1
Behavioral task
behavioral1
Sample
7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe
Resource
win10v2004-20220901-en
General
-
Target
7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe
-
Size
163KB
-
MD5
3871f1f017026b6c6a439902213712cf
-
SHA1
a664f294c49d184122877046e26c1487fc595dff
-
SHA256
7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d
-
SHA512
52db4fd141c5369b92757f2e9b2bef38e5b29e1ddd922cd2651deae215c7dc6608eec73ad56f75d1703e91165866ee5f3a73b3f8c11db3652322fc3854043f0f
-
SSDEEP
3072:Bz+92mhTMMJ/cPiq5bVin8/e6UN1U/FdcuAC/Qjk+cT:Bz+92mhAMJ/cPl3i8/tUN1nuAC/aS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ddos.exepid process 1068 ddos.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1884 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ddos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\" ddos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.execmd.exedescription pid process target process PID 1720 wrote to memory of 1884 1720 7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe cmd.exe PID 1720 wrote to memory of 1884 1720 7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe cmd.exe PID 1720 wrote to memory of 1884 1720 7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe cmd.exe PID 1720 wrote to memory of 1884 1720 7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe cmd.exe PID 1720 wrote to memory of 1884 1720 7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe cmd.exe PID 1720 wrote to memory of 1884 1720 7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe cmd.exe PID 1720 wrote to memory of 1884 1720 7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe cmd.exe PID 1884 wrote to memory of 1068 1884 cmd.exe ddos.exe PID 1884 wrote to memory of 1068 1884 cmd.exe ddos.exe PID 1884 wrote to memory of 1068 1884 cmd.exe ddos.exe PID 1884 wrote to memory of 1068 1884 cmd.exe ddos.exe PID 1884 wrote to memory of 1068 1884 cmd.exe ddos.exe PID 1884 wrote to memory of 1068 1884 cmd.exe ddos.exe PID 1884 wrote to memory of 1068 1884 cmd.exe ddos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe"C:\Users\Admin\AppData\Local\Temp\7cfdb8a1d766649af4386d8e4af0a1fa60b4b9e3991498116c6a5eacff2b795d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\lol.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ddos.exeddos.exe -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD5f635a4b74fdc56e848870f277b71f970
SHA16f7768ba7eb98f2513a2437804e00f10f384af7c
SHA25650af3581fd24b49bc07a680501d33c6a257e295642b8d4c3c3c680ba6e6f1e2a
SHA512751ca86fe6d3bac2a1142b21160fd33a2d5bae8104c9a71d78016d52b36232fee2e184a79e1ae1efcbc48a1f16d6bfb59108ad8f2fdeb0ef52c0a77d51556267
-
Filesize
143KB
MD5f635a4b74fdc56e848870f277b71f970
SHA16f7768ba7eb98f2513a2437804e00f10f384af7c
SHA25650af3581fd24b49bc07a680501d33c6a257e295642b8d4c3c3c680ba6e6f1e2a
SHA512751ca86fe6d3bac2a1142b21160fd33a2d5bae8104c9a71d78016d52b36232fee2e184a79e1ae1efcbc48a1f16d6bfb59108ad8f2fdeb0ef52c0a77d51556267
-
Filesize
17B
MD5c719c903e82dd99ac04773bc9c293040
SHA1cad78b512d40c959a03a78c61f7320e1b4547d6c
SHA256a0a192d3a7aa9b5dede8f070b1b59a28eabb8182a513b81716b194bb3e5931e9
SHA5128a2202526cd6a44f74d74bd88fcf94f471a2cb7f72fc127a573fb3cf1b55c9901496dc91a82126816308a24e5f6d6fd5188493060b3e5796d4ed072bd453f098
-
Filesize
143KB
MD5f635a4b74fdc56e848870f277b71f970
SHA16f7768ba7eb98f2513a2437804e00f10f384af7c
SHA25650af3581fd24b49bc07a680501d33c6a257e295642b8d4c3c3c680ba6e6f1e2a
SHA512751ca86fe6d3bac2a1142b21160fd33a2d5bae8104c9a71d78016d52b36232fee2e184a79e1ae1efcbc48a1f16d6bfb59108ad8f2fdeb0ef52c0a77d51556267