Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
24-11-2022 21:01
General
-
Target
ecard.exe
-
Size
540KB
-
MD5
7e1fe97ad2bbe4694db516da79c34791
-
SHA1
faeb9e85135b7bc13d994f00f94b9285e962b39a
-
SHA256
9152f3ed68a535b62204bad2c7a88dc1028264bac3a4c3b28b33a3b89bb6418d
-
SHA512
3c1267dab94c1159d7339c65ecdb63c1792079fbe65527ed934b7ed11d39233bd8cd711aa1d93a30c118fbf15dba18f60cca54cfdc08ed95045b55d70debeeaf
-
SSDEEP
6144:lhLpD3Ave4QRZQBdU9rGhYCMxpLoZhVj3aUd5nrbHK7x+rZbMkN2PaWIZqbixxn5:lTcvhzU9ihYXxpUHVjfrjBrZok/V
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecard.exe"C:\Users\Admin\AppData\Local\Temp\ecard.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecard.exe"C:\Users\Admin\AppData\Local\Temp\ecard.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exe"3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CWH49.jpgFilesize
161KB
MD560370188ece426a5c6728cdd2016be9c
SHA1c6fc16ba9e05e9f8f05b6ec33ac0b1f42bdfe88a
SHA25606955da091df60466c7f92abd77ae8a40233147746fe82e37bd8c15b66cdfa3e
SHA512d16b7617369631de09cb0fca486345e2884581bf0683d4390b1ab44ed17049ef54e4f31fa1cddd567ca9bc6726b5ca761ee9471a4e80a5f6ec2cd9e6cec71845
-
C:\Users\Admin\AppData\Roaming\Cloud\Cloud.exeFilesize
540KB
MD50b8a87bd741cd5e7a92294ff3aff1e0d
SHA1717100cdd331da09032f3c9184d9df5c1b5805a1
SHA256e4a9c66209dcb118c985c8b0b78d9eb030145c9cd84e73dca47f4986d6ae7c52
SHA5128fd9f5afdabb21689f44fe3d9dac4b6280fe5dbecc01c94302ac384b02c2be707607479518dc6d8067ead9b06fbd623bf0b4751f0d3a4d260b83aaff1185b258
-
\Users\Admin\AppData\Roaming\Cloud\Cloud.exeFilesize
540KB
MD50b8a87bd741cd5e7a92294ff3aff1e0d
SHA1717100cdd331da09032f3c9184d9df5c1b5805a1
SHA256e4a9c66209dcb118c985c8b0b78d9eb030145c9cd84e73dca47f4986d6ae7c52
SHA5128fd9f5afdabb21689f44fe3d9dac4b6280fe5dbecc01c94302ac384b02c2be707607479518dc6d8067ead9b06fbd623bf0b4751f0d3a4d260b83aaff1185b258
-
\Users\Admin\AppData\Roaming\Cloud\Cloud.exeFilesize
540KB
MD50b8a87bd741cd5e7a92294ff3aff1e0d
SHA1717100cdd331da09032f3c9184d9df5c1b5805a1
SHA256e4a9c66209dcb118c985c8b0b78d9eb030145c9cd84e73dca47f4986d6ae7c52
SHA5128fd9f5afdabb21689f44fe3d9dac4b6280fe5dbecc01c94302ac384b02c2be707607479518dc6d8067ead9b06fbd623bf0b4751f0d3a4d260b83aaff1185b258
-
memory/1764-69-0x0000000000000000-mapping.dmp
-
memory/2028-57-0x000000000042F670-mapping.dmp
-
memory/2028-56-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2028-59-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2028-60-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2028-63-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/2028-65-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
