cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb

Analysis

max time kernel
73s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe
Size

10.7MB
MD5

44b6738f0b2896dff834fe9b30aaf7a4
SHA1

85385bdfff7b624ce317c4133a58d13c8aea34e7
SHA256

cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb
SHA512

408a78ac7391c9911be91d3b1d7c4512be89103e9bfa7a206ac97a6dc714706a5cc049ca2b918ac36106fafe1899aa115b30fe7405df36a864ccf8bc412b7cab
SSDEEP

196608:bUdbjjbx8FWvc1ZMXd9M1BvLmPWh5BMLTeQDR45gb+dj02Hzn/pwNiN2x259s69:bUBHGFWvcfMXdW6Wh5eTdDYaxAn/pwUX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

software.exesoftware.tmp

pid process

1712 software.exe
1636 software.tmp

pid	process
1712	software.exe
1636	software.tmp

Loads dropped DLL 9 IoCs

Processes:

cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exesoftware.exesoftware.tmp

pid	process
952	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe
1712	software.exe
1712	software.exe
1712	software.exe
1636	software.tmp
1636	software.tmp
1636	software.tmp
1636	software.tmp
1636	software.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exesoftware.exe

description	pid	process	target process
PID 952 wrote to memory of 1712	952	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 952 wrote to memory of 1712	952	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 952 wrote to memory of 1712	952	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 952 wrote to memory of 1712	952	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 952 wrote to memory of 1712	952	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 952 wrote to memory of 1712	952	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 952 wrote to memory of 1712	952	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 1712 wrote to memory of 1636	1712	software.exe	software.tmp
PID 1712 wrote to memory of 1636	1712	software.exe	software.tmp
PID 1712 wrote to memory of 1636	1712	software.exe	software.tmp
PID 1712 wrote to memory of 1636	1712	software.exe	software.tmp
PID 1712 wrote to memory of 1636	1712	software.exe	software.tmp
PID 1712 wrote to memory of 1636	1712	software.exe	software.tmp
PID 1712 wrote to memory of 1636	1712	software.exe	software.tmp

C:\Users\Admin\AppData\Local\Temp\cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe
"C:\Users\Admin\AppData\Local\Temp\cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\software.exe
C:\Users\Admin\AppData\Local\Temp\software.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\is-DJVI6.tmp\software.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DJVI6.tmp\software.tmp" /SL5="$70122,10932911,68608,C:\Users\Admin\AppData\Local\Temp\software.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-DJVI6.tmp\software.tmp

Filesize
684KB

MD5
d8a7b498db39499a9205e6372bbd5301

SHA1
f5fb4bb2142c20b7cdda00ffe16275990000dd55

SHA256
218e4dba9a00fa76591cc7a17eb6434a202ca3527e80508f8d74cb355c31c2d7

SHA512
ce0fe80791fbb98d2f51b56b6bc4477b99ea1c41940c511eee1495b48188eab4178ecfad272dbf1ce2560b63297e72a6667bc476a7b3a6ea288ccdc76fcfa84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DJVI6.tmp\software.tmp

Filesize
684KB

MD5
d8a7b498db39499a9205e6372bbd5301

SHA1
f5fb4bb2142c20b7cdda00ffe16275990000dd55

SHA256
218e4dba9a00fa76591cc7a17eb6434a202ca3527e80508f8d74cb355c31c2d7

SHA512
ce0fe80791fbb98d2f51b56b6bc4477b99ea1c41940c511eee1495b48188eab4178ecfad272dbf1ce2560b63297e72a6667bc476a7b3a6ea288ccdc76fcfa84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\software.exe

Filesize
10.7MB

MD5
d90ac7b34abbbd60b761da9723ecb6b2

SHA1
5c8dafbb9752b8dd5b5e96034581ca9f306adce1

SHA256
24619e640dc772a20fae53d2c610ff43205a4378ac3ec7b1ffdebe5178289ed1

SHA512
debd4c179610dca3dc4f0715fada665761b7e27c631df8885041ae2a7ce00127f75a87d90e8f2c1d338cbf60429cfa6c2b725c21c7bc539c4a6124d1906093dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\software.exe

Filesize
10.7MB

MD5
d90ac7b34abbbd60b761da9723ecb6b2

SHA1
5c8dafbb9752b8dd5b5e96034581ca9f306adce1

SHA256
24619e640dc772a20fae53d2c610ff43205a4378ac3ec7b1ffdebe5178289ed1

SHA512
debd4c179610dca3dc4f0715fada665761b7e27c631df8885041ae2a7ce00127f75a87d90e8f2c1d338cbf60429cfa6c2b725c21c7bc539c4a6124d1906093dd

Download Submit
\Users\Admin\AppData\Local\Temp\is-DJVI6.tmp\software.tmp

Filesize
684KB

MD5
d8a7b498db39499a9205e6372bbd5301

SHA1
f5fb4bb2142c20b7cdda00ffe16275990000dd55

SHA256
218e4dba9a00fa76591cc7a17eb6434a202ca3527e80508f8d74cb355c31c2d7

SHA512
ce0fe80791fbb98d2f51b56b6bc4477b99ea1c41940c511eee1495b48188eab4178ecfad272dbf1ce2560b63297e72a6667bc476a7b3a6ea288ccdc76fcfa84c

Download Submit
\Users\Admin\AppData\Local\Temp\is-VR9VH.tmp\EncStr.dll

Filesize
97KB

MD5
a96d045389a83b44bce302a255cf06c8

SHA1
e495735d19903433546315c42ce5f2947e1eccee

SHA256
ac1da22a5ab97f94d52b3cefac7910338786b5cd4f0fb6c823e4ac91f37baf25

SHA512
28c280cfa5ebf756ebd7d3f9df23a8a05b8e1b15a2e3abc11c557329e37219e31aa18e507bce733e41e3e46b73dd186eed760d88495b6abe43fce9360bd82c1f

Download Submit
\Users\Admin\AppData\Local\Temp\is-VR9VH.tmp\LogFile.dll

Filesize
227KB

MD5
11cb58def67ec8b238548c04c89db02d

SHA1
c902f2389217a289343bdf0ba75d0fcacbb9de04

SHA256
f1164cad5d93a07cf81436458741a00a79555aa679200dbae4f595dd4972dab9

SHA512
756505066c6473b45166cd40f2e545cab4c65598b928ccde093a1f69e409acc0bc2b0094952afbc6430fc3dcd3028d44db9b96ac628a168bcb3ad168c7371712

Download Submit
\Users\Admin\AppData\Local\Temp\is-VR9VH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VR9VH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VR9VH.tmp\cpuinfo.dll

Filesize
52KB

MD5
a9857c3b9c339fb16e1b0d26d1ba5332

SHA1
8fe84dc2ea9b59637a4348bd1e2dbb2a8027ca10

SHA256
ea68738427039a7b58f58b7293733e222f9def6cf3828f30812d8f5aafc23768

SHA512
1ddeff4100328ffdce0609947d51bf93e749fd278977e808a722b25ed0e25aab1a75d35aa936956f53dd74363f8ab4f0558b20a0ec4ca2a33e37993a1073d779

Download Submit
\Users\Admin\AppData\Local\Temp\software.exe

Filesize
10.7MB

MD5
d90ac7b34abbbd60b761da9723ecb6b2

SHA1
5c8dafbb9752b8dd5b5e96034581ca9f306adce1

SHA256
24619e640dc772a20fae53d2c610ff43205a4378ac3ec7b1ffdebe5178289ed1

SHA512
debd4c179610dca3dc4f0715fada665761b7e27c631df8885041ae2a7ce00127f75a87d90e8f2c1d338cbf60429cfa6c2b725c21c7bc539c4a6124d1906093dd

Download Submit
\Users\Admin\AppData\Local\Temp\software.exe

Filesize
10.7MB

MD5
d90ac7b34abbbd60b761da9723ecb6b2

SHA1
5c8dafbb9752b8dd5b5e96034581ca9f306adce1

SHA256
24619e640dc772a20fae53d2c610ff43205a4378ac3ec7b1ffdebe5178289ed1

SHA512
debd4c179610dca3dc4f0715fada665761b7e27c631df8885041ae2a7ce00127f75a87d90e8f2c1d338cbf60429cfa6c2b725c21c7bc539c4a6124d1906093dd

Download Submit
\Users\Admin\AppData\Local\Temp\software.exe

Filesize
10.7MB

MD5
d90ac7b34abbbd60b761da9723ecb6b2

SHA1
5c8dafbb9752b8dd5b5e96034581ca9f306adce1

SHA256
24619e640dc772a20fae53d2c610ff43205a4378ac3ec7b1ffdebe5178289ed1

SHA512
debd4c179610dca3dc4f0715fada665761b7e27c631df8885041ae2a7ce00127f75a87d90e8f2c1d338cbf60429cfa6c2b725c21c7bc539c4a6124d1906093dd

Download Submit
memory/952-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1636-66-0x0000000000000000-mapping.dmp

Download
memory/1636-75-0x0000000000300000-0x000000000031D000-memory.dmp

Filesize
116KB

Download
memory/1712-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1712-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1712-56-0x0000000000000000-mapping.dmp

Download
memory/1712-77-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download