Overview

overview

10

Static

static

cda938c0ca...12.exe

windows7-x64

10

cda938c0ca...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2022, 18:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cda938c0ca7c5bd84750d0275953e3b9ac399a967819437f5305b532d22edb12.exe

  • Size

    232KB

  • MD5

    442e7847a8ecbdccfcb0b799f1235598

  • SHA1

    6e22b6056e5dd9917bea931263c8e81459563087

  • SHA256

    cda938c0ca7c5bd84750d0275953e3b9ac399a967819437f5305b532d22edb12

  • SHA512

    162536b17451feaf5a2f7c28098bfb0fea85d5cd008e57cc18d2af5ebfb901d9fc7a83751ff76164e150bc5267cb3705df5710c512546d8d537a3005abe6e1f9

  • SSDEEP

    6144:nVcggg3ADylVl85IwwiXeujvWBxD2dMp/FFc8bZfq:Vcy3ADylVl85IwwiXeujvWBxD2dO/FLA

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 49 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cda938c0ca7c5bd84750d0275953e3b9ac399a967819437f5305b532d22edb12.exe
    "C:\Users\Admin\AppData\Local\Temp\cda938c0ca7c5bd84750d0275953e3b9ac399a967819437f5305b532d22edb12.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\roilaid.exe
      "C:\Users\Admin\roilaid.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:556

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\roilaid.exe
          Filesize

          232KB

          MD5

          3478e03075655e676d1afb814fbc69eb

          SHA1

          1e1d795ae32abf0c5ad90100b3844cde9ad146b9

          SHA256

          ad05d8808c52c53516323de136cd0013be66fe076fcc2d13429fcfeefd3ce221

          SHA512

          ca41a45ca63df4a201f888fbc7f7c717b1ef6d6357405fbd0e93b1d05291abf25631ea97f4f107fc37e912382b47829d7a2cd0dfbbacde17519c2803b9adbf3a

          Download Submit

        • C:\Users\Admin\roilaid.exe
          Filesize

          232KB

          MD5

          3478e03075655e676d1afb814fbc69eb

          SHA1

          1e1d795ae32abf0c5ad90100b3844cde9ad146b9

          SHA256

          ad05d8808c52c53516323de136cd0013be66fe076fcc2d13429fcfeefd3ce221

          SHA512

          ca41a45ca63df4a201f888fbc7f7c717b1ef6d6357405fbd0e93b1d05291abf25631ea97f4f107fc37e912382b47829d7a2cd0dfbbacde17519c2803b9adbf3a

          Download Submit

        • \Users\Admin\roilaid.exe
          Filesize

          232KB

          MD5

          3478e03075655e676d1afb814fbc69eb

          SHA1

          1e1d795ae32abf0c5ad90100b3844cde9ad146b9

          SHA256

          ad05d8808c52c53516323de136cd0013be66fe076fcc2d13429fcfeefd3ce221

          SHA512

          ca41a45ca63df4a201f888fbc7f7c717b1ef6d6357405fbd0e93b1d05291abf25631ea97f4f107fc37e912382b47829d7a2cd0dfbbacde17519c2803b9adbf3a

          Download Submit

        • \Users\Admin\roilaid.exe
          Filesize

          232KB

          MD5

          3478e03075655e676d1afb814fbc69eb

          SHA1

          1e1d795ae32abf0c5ad90100b3844cde9ad146b9

          SHA256

          ad05d8808c52c53516323de136cd0013be66fe076fcc2d13429fcfeefd3ce221

          SHA512

          ca41a45ca63df4a201f888fbc7f7c717b1ef6d6357405fbd0e93b1d05291abf25631ea97f4f107fc37e912382b47829d7a2cd0dfbbacde17519c2803b9adbf3a

          Download Submit

        • memory/556-67-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/1872-56-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/1872-57-0x0000000075EC1000-0x0000000075EC3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1872-64-0x0000000002D20000-0x0000000002D5B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/1872-65-0x0000000002D20000-0x0000000002D5B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/1872-69-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

          Download