1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb

Analysis

max time kernel
37s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
Size

60KB
MD5

47c2a38d3d4bb292b92177a47242dbd4
SHA1

bb27c882948d69bc9e6263eacbd07ffa05bda6e0
SHA256

1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb
SHA512

341387e03043fa47910139e80e75622f4bb633cd38d1ab36b39827d5289ce70430e315be8ddd5d3713f83348ed2687f2394596592064822c1bcdc2f68a151919
SSDEEP

1536:V3cpyORJLuB4P4AJJv4Romu/v4ptqrmX+lE8QG+e:V3c1fP4AJJv45SlwS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1544	cmd.exe

Loads dropped DLL 7 IoCs

pid	Process
748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Internat Explorar\Desktop.ini	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
File opened for modification	C:\Users\Public\Desktop\Internat Explorar\Desktop.ini	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tbgw.ico	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
File opened for modification	C:\Windows\tbgw.ico	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1504	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	27
PID 748 wrote to memory of 1504	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	27
PID 748 wrote to memory of 1504	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	27
PID 748 wrote to memory of 1504	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	27
PID 748 wrote to memory of 1504	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	27
PID 748 wrote to memory of 1504	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	27
PID 748 wrote to memory of 1504	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	27
PID 748 wrote to memory of 940	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	28
PID 748 wrote to memory of 940	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	28
PID 748 wrote to memory of 940	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	28
PID 748 wrote to memory of 940	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	28
PID 748 wrote to memory of 940	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	28
PID 748 wrote to memory of 940	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	28
PID 748 wrote to memory of 940	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	28
PID 940 wrote to memory of 1720	940	cmd.exe	31
PID 940 wrote to memory of 1720	940	cmd.exe	31
PID 940 wrote to memory of 1720	940	cmd.exe	31
PID 940 wrote to memory of 1720	940	cmd.exe	31
PID 940 wrote to memory of 1720	940	cmd.exe	31
PID 940 wrote to memory of 1720	940	cmd.exe	31
PID 940 wrote to memory of 1720	940	cmd.exe	31
PID 748 wrote to memory of 1544	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	33
PID 748 wrote to memory of 1544	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	33
PID 748 wrote to memory of 1544	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	33
PID 748 wrote to memory of 1544	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	33
PID 748 wrote to memory of 1544	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	33
PID 748 wrote to memory of 1544	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	33
PID 748 wrote to memory of 1544	748	1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe
"C:\Users\Admin\AppData\Local\Temp\1e976659700390353dd8517925fd69eca4e8b3bd959745b326b9699bc3ec22fb.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move "C:\Users\Admin\AppData\Local\Temp\Internat Explorar" "C:\Users\Public\Desktop\Internat Explorar"
  2⤵
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib "C:\Users\Public\Desktop\Internat Explorar" +s
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Public\Desktop\Internat Explorar" +s
    3⤵
    - Views/modifies file attributes
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat" "
  2⤵
  - Deletes itself
  PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat

Filesize
250B

MD5
f1e6d69db8aeb743780342199ed060b3

SHA1
cb6d513b99a7a3e34862ef4622a110530f5ca7e9

SHA256
4f2bab69f391df289c53ada6253f59ef98e9520a0af2bef91b58ae33c61f8a1d

SHA512
e82065138835341ce6188956d7a4923029cfbc663bd092ce9875704dea7a83161033472ee9a80bf06a9891039662140a00e445350694dd9c1138ef3b587d12f4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CC5.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CC5.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CC5.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CC5.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CC5.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CC5.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst3CC5.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
memory/748-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads