Overview

overview

7

Static

static

cdf8e50e81...08.exe

windows7-x64

7

cdf8e50e81...08.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    127s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdf8e50e8181aafe210944f84eaea8e54dc9024a09683292d66b4ec3314b9908.exe

  • Size

    797KB

  • MD5

    25463ec11b0bbb41434e341f635ea57c

  • SHA1

    bff9fb76cdf9a7ab99caa49f34a0a32a22f815f7

  • SHA256

    cdf8e50e8181aafe210944f84eaea8e54dc9024a09683292d66b4ec3314b9908

  • SHA512

    7c64ddcd1a581bb0df2daad1f8eb011939f549ec18ff86d41bac484ad9e4036be863c6d3053df8790d86369c7ea02d921e210fa4129a2a792c8111ef08c8c317

  • SSDEEP

    12288:0i6URcrZOvslozQHf6OWRrrb6IGbHnfErt7ouN/eqpcNoYx2eh:o6OE+IGbyt794ht2eh

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdf8e50e8181aafe210944f84eaea8e54dc9024a09683292d66b4ec3314b9908.exe
    "C:\Users\Admin\AppData\Local\Temp\cdf8e50e8181aafe210944f84eaea8e54dc9024a09683292d66b4ec3314b9908.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"
        3⤵
        • Adds Run key to start application
        PID:1708
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:960
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        2⤵
          PID:1788
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          2⤵
            PID:1312
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            2⤵
              PID:1472
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              2⤵
                PID:1068

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • \Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe
              Filesize

              797KB

              MD5

              25463ec11b0bbb41434e341f635ea57c

              SHA1

              bff9fb76cdf9a7ab99caa49f34a0a32a22f815f7

              SHA256

              cdf8e50e8181aafe210944f84eaea8e54dc9024a09683292d66b4ec3314b9908

              SHA512

              7c64ddcd1a581bb0df2daad1f8eb011939f549ec18ff86d41bac484ad9e4036be863c6d3053df8790d86369c7ea02d921e210fa4129a2a792c8111ef08c8c317

              Download Submit
            • memory/680-60-0x0000000000000000-mapping.dmp
              Download
            • memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1416-55-0x0000000074520000-0x0000000074ACB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1416-56-0x0000000000105000-0x0000000000116000-memory.dmp
              Filesize

              68KB

              Download
            • memory/1416-57-0x0000000074520000-0x0000000074ACB000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1416-58-0x0000000000105000-0x0000000000116000-memory.dmp
              Filesize

              68KB

              Download
            • memory/1708-61-0x0000000000000000-mapping.dmp
              Download