Analysis
-
max time kernel
153s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 11:25
Static task
static1
Behavioral task
behavioral1
Sample
a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
Resource
win10v2004-20221111-en
General
-
Target
a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
-
Size
1.8MB
-
MD5
51f26c0051e97a91145971fe5bc632ff
-
SHA1
770db9ad471ffd4357358bc16ff0bb6c98d71e5d
-
SHA256
a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96
-
SHA512
226f95fa022d5ef7b7d9ff560e44d5768d4d934a90a5d28e14c331778cef7e06ac25a368c6dab9bb87be9869dfe9c5ae11fa01c15cbd4b03f8511047ab363c73
-
SSDEEP
49152:4TJvTlo5teGg9M9sS2wtG9zxuF/Vdl0g9uU+:4TJvTlouGg9QsAtG90/VdA1
Malware Config
Signatures
-
Loads dropped DLL 9 IoCs
Processes:
a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exepid process 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exedescription ioc process File created C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe File created C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_FlashUtil.exe a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe File created C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe File created C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe File opened for modification C:\Windows\SysWOW64\Macromed\Flash\install.log a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exepid process 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exepid process 1584 a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe"C:\Users\Admin\AppData\Local\Temp\a4ea3bd92f7ef5dc1e82f211214aaf8fd99ca31102b8c83f73b5f4cd7004ef96.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD52b8574f6a8f5de9042baa43c069d20ba
SHA107959da0c6b7715b51f70f1b0aea1f56ba7a4559
SHA25638654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564
SHA512f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88
-
Filesize
10KB
MD516ae54e23736352739d7ab156b1965ba
SHA114f8f04bed2d6adc07565d5c064f6931b128568f
SHA256c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc
SHA51215dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f
-
Filesize
10KB
MD516ae54e23736352739d7ab156b1965ba
SHA114f8f04bed2d6adc07565d5c064f6931b128568f
SHA256c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc
SHA51215dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f
-
Filesize
10KB
MD516ae54e23736352739d7ab156b1965ba
SHA114f8f04bed2d6adc07565d5c064f6931b128568f
SHA256c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc
SHA51215dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f
-
Filesize
10KB
MD516ae54e23736352739d7ab156b1965ba
SHA114f8f04bed2d6adc07565d5c064f6931b128568f
SHA256c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc
SHA51215dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f
-
Filesize
10KB
MD516ae54e23736352739d7ab156b1965ba
SHA114f8f04bed2d6adc07565d5c064f6931b128568f
SHA256c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc
SHA51215dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f
-
Filesize
4KB
MD568d73a95c628836b67ea5a717d74b38c
SHA1935372db4a66f9dfd6c938724197787688e141b0
SHA25621a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226
SHA5120e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914
-
Filesize
4KB
MD568d73a95c628836b67ea5a717d74b38c
SHA1935372db4a66f9dfd6c938724197787688e141b0
SHA25621a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226
SHA5120e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914
-
Filesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b