Analysis
-
max time kernel
172s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 13:35
General
-
Target
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe
-
Size
61KB
-
MD5
e027153d983946c3a5e336ba6639f178
-
SHA1
8648bb28d6a0d377ebdf4d91231cb54815001933
-
SHA256
dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea
-
SHA512
fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554
-
SSDEEP
1536:pM3K0rz6fS/tdvyO2eLehvGb/r/CAp2/DSjh/Zku:i60rWfofvH3ehv6/Ce6SjfH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe"C:\Users\Admin\AppData\Local\Temp\dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iehelper.exe"C:\Program Files (x86)\Internet Explorer\iehelper.exe" /fw2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\\winimes.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Internet Explorer\iehelper.exeFilesize
61KB
MD5e027153d983946c3a5e336ba6639f178
SHA18648bb28d6a0d377ebdf4d91231cb54815001933
SHA256dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea
SHA512fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554
-
C:\Users\Admin\AppData\Local\Temp\winimes.batFilesize
253B
MD57bd8377077c4cccb94f65fff2db67bb7
SHA118f8829c34768c160c63cf408b3c973138bb0a07
SHA256bdb89c111e19d2f35a739ef1cf370541755c6b2cb8c775527589efd9fa825962
SHA512b54755ce0990193ecf48be5875d675c4e13b1e9b0619075d244f5fe6da449917e5f13929c39530cf5f935ac81dbf67dfc8d53f28874b462fe819015840a0a5c8
-
\Program Files (x86)\Internet Explorer\iehelper.exeFilesize
61KB
MD5e027153d983946c3a5e336ba6639f178
SHA18648bb28d6a0d377ebdf4d91231cb54815001933
SHA256dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea
SHA512fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554
-
\Program Files (x86)\Internet Explorer\iehelper.exeFilesize
61KB
MD5e027153d983946c3a5e336ba6639f178
SHA18648bb28d6a0d377ebdf4d91231cb54815001933
SHA256dd59f8e7fcc27c8b2e4fab1963d5b00c6a7365109e016968e3781efd621023ea
SHA512fbbdc0e909037dc169e9be30e5a446b565bbd74b18e07c39ac13c5de7106985dc04c75eb186a732db0f2b3ebb12341a313c509230744bcc7804e71b3cf067554
-
memory/988-59-0x0000000000000000-mapping.dmp
-
memory/1496-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB
-
memory/1496-55-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1568-64-0x0000000000000000-mapping.dmp