Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
25-11-2022 09:24
General
-
Target
593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651.exe
-
Size
244KB
-
MD5
9ced6af933a6d0da83eaaab328ab8c54
-
SHA1
890a26d745ef6aee4fb5b5589262b97e5d50487b
-
SHA256
593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
-
SHA512
47f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
SSDEEP
3072:Wo8L5tpV+Ag1AAPoCpxW5ATBfUNlRsvkTVC9FieYTTLprx/m3qT4S826guKqhowN:atpB2oCpcNlRjQdi
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 8 IoCs
-
Adds policy Run key to start application 2 TTPs 8 IoCs
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 3 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 24 IoCs
-
Drops autorun.inf file 1 TTPs 9 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 54 IoCs
-
Drops file in Windows directory 38 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 16 IoCs
-
Modifies registry class 44 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651.exe"C:\Users\Admin\AppData\Local\Temp\593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651.exe"1⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"2⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"3⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"4⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\Cursors\Boom.vbsFilesize
4KB
MD5e72c9789ac7232e3b36766eb2a8f8da6
SHA1a37a9f18e227d103bb4e1ecac0834c2cdf99d112
SHA2567b03603cbc56105470b4bfb250d0ef18fa93126475e2872d63dc52c35866d2a9
SHA512666a2592c5303a1f42a8bbddc2a8e5d3289c612be7401e3530a3afd70d8243276645bad00a82f3254674307583dabae49c16204e790200a34b0707813265f6d0
-
C:\WINDOWS\Fonts\Fonts.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\Fonts\tskmgr.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\Help\microsoft.hlpFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\Media\rndll32.pifFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\SysWOW64\dllcache\Default.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\SysWOW64\dllcache\Global.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exeFilesize
244KB
MD5d7c50b15adc662b417cf20192a4176a9
SHA1d1361fbed3b65c633785b0ba0c32eb739852767b
SHA256abca57cda8d2f76e58d281f3202c52c3a090ec28b4d2a2fd47ed4e1f327f716b
SHA512eb0449aca4a12950b7c8d8d22c9fa00cb4b6115f07c500a635c43197bf5244041c8fbbe5d4f1d862b92e808e8b2be035171b362e72d3faf06b8d74be216b6083
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\SysWOW64\dllcache\autorun.infFilesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
C:\WINDOWS\SysWOW64\dllcache\autorun.infFilesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
C:\WINDOWS\SysWOW64\dllcache\autorun.infFilesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
C:\WINDOWS\SysWOW64\dllcache\autorun.infFilesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
C:\WINDOWS\SysWOW64\dllcache\svchost.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\SysWOW64\drivers\drivers.cab.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\pchealth\Global.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\WINDOWS\system\KEYBOARD.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
C:\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
\Windows\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exeFilesize
244KB
MD59ced6af933a6d0da83eaaab328ab8c54
SHA1890a26d745ef6aee4fb5b5589262b97e5d50487b
SHA256593ac271c4d72ad2ce3b5093d9801abd5603369b595d1292b39bb251a7e3e651
SHA51247f9f37a0d47cc12b234efdb09122e2c9be4d5124fd43a4250b79ab87243e60c89479467c149f905e331efea4d67cec8df7b6cd27ab960f2b8f6b7f847f29a02
-
memory/900-61-0x0000000000000000-mapping.dmp
-
memory/900-92-0x00000000039A0000-0x00000000039E0000-memory.dmpFilesize
256KB
-
memory/900-93-0x00000000039A0000-0x00000000039E0000-memory.dmpFilesize
256KB
-
memory/900-109-0x00000000039A0000-0x00000000039E0000-memory.dmpFilesize
256KB
-
memory/900-82-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/900-108-0x00000000039A0000-0x00000000039E0000-memory.dmpFilesize
256KB
-
memory/984-98-0x0000000000000000-mapping.dmp
-
memory/984-105-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/984-103-0x00000000034E0000-0x0000000003F9A000-memory.dmpFilesize
10.7MB
-
memory/1032-94-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1032-85-0x0000000000000000-mapping.dmp
-
memory/1032-104-0x0000000004120000-0x0000000004160000-memory.dmpFilesize
256KB
-
memory/1524-56-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1524-58-0x0000000074001000-0x0000000074003000-memory.dmpFilesize
8KB
-
memory/1524-81-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1524-57-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB