Analysis
-
max time kernel
124s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:03
Static task
static1
Behavioral task
behavioral1
Sample
a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe
Resource
win10v2004-20221111-en
General
-
Target
a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe
-
Size
2.0MB
-
MD5
69adfc0b2b9af7ebd3f687cd6e01216f
-
SHA1
2a6a6d8301ac7e02f7036098b06796609894fdc2
-
SHA256
a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1
-
SHA512
7df1d6b790627f1feb8913abb27b45154e266cbbe18b53d5a380f6cd1687c41e26f3c0b506eff93226af14f53808534335d816e248ffa63c1115481329e1bcbf
-
SSDEEP
49152:JkR2Q4SuHEuRwT0RU2ILRU9JnOsmU+yWRw:RSqa69JnOsmU+bR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
OAD.exepid process 1012 OAD.exe -
Loads dropped DLL 2 IoCs
Processes:
a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exeOAD.exepid process 2028 a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe 1012 OAD.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
OAD.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run OAD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OAD Start = "C:\\ProgramData\\NWHPQU\\OAD.exe" OAD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
OAD.exepid process 1012 OAD.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OAD.exepid process 1012 OAD.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
OAD.exepid process 1012 OAD.exe 1012 OAD.exe 1012 OAD.exe 1012 OAD.exe 1012 OAD.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exedescription pid process target process PID 2028 wrote to memory of 1012 2028 a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe OAD.exe PID 2028 wrote to memory of 1012 2028 a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe OAD.exe PID 2028 wrote to memory of 1012 2028 a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe OAD.exe PID 2028 wrote to memory of 1012 2028 a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe OAD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe"C:\Users\Admin\AppData\Local\Temp\a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\NWHPQU\OAD.exe"C:\ProgramData\NWHPQU\OAD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\NWHPQU\OAD.00Filesize
2KB
MD56db4e712b1303e6f44ee5853458c2ecb
SHA17d4c75c754017df791f380c96d1128c1e348ba3d
SHA25659897c00541624af593e53a1290d2c6718554d3cee9ab050ab0643cf3b7782cf
SHA5121a54c30337bf7591dd16b4a8c003db01547077e463ceee4daaf51494544aceeb17cbdda12d20d96f73beb373b5750378987a928194964c088b2de87f3e378be6
-
C:\ProgramData\NWHPQU\OAD.01Filesize
81KB
MD50402b2d80b4b60fff57d270f03160e0f
SHA19311e436ba9147f7976db3193831b049cd7769b8
SHA25606cdf7f19f1766fd6118c3edc1ff658f135228d2106a7d83e2dba4ed52c9ef29
SHA512f1bc9d39b978b1fb6d14466ba4b9ce4a18bbc8cbe98427ba1539362b3f3ee9add49788cf6c99aa4b0251911258173fefaee83399dc5af5623b0587356e23ed23
-
C:\ProgramData\NWHPQU\OAD.exeFilesize
2.4MB
MD5831663dde03a14a183c9670a92ac1fc1
SHA1b63901a572c7ab77d69bf0ced7b7b8e98b90a3fe
SHA256d3057290e218a6df2c4cfd00b8cd24912423d5a74d419d77504fdb2b49aed77b
SHA51270b036f9f22835a45d61dcb24efafee580485eb9e8c75215cf8eb99d4100e3cacfdd9782027358abdc0d711adec939f7e139f3bc6981a905457663cf94a22f13
-
\ProgramData\NWHPQU\OAD.01Filesize
81KB
MD50402b2d80b4b60fff57d270f03160e0f
SHA19311e436ba9147f7976db3193831b049cd7769b8
SHA25606cdf7f19f1766fd6118c3edc1ff658f135228d2106a7d83e2dba4ed52c9ef29
SHA512f1bc9d39b978b1fb6d14466ba4b9ce4a18bbc8cbe98427ba1539362b3f3ee9add49788cf6c99aa4b0251911258173fefaee83399dc5af5623b0587356e23ed23
-
\ProgramData\NWHPQU\OAD.exeFilesize
2.4MB
MD5831663dde03a14a183c9670a92ac1fc1
SHA1b63901a572c7ab77d69bf0ced7b7b8e98b90a3fe
SHA256d3057290e218a6df2c4cfd00b8cd24912423d5a74d419d77504fdb2b49aed77b
SHA51270b036f9f22835a45d61dcb24efafee580485eb9e8c75215cf8eb99d4100e3cacfdd9782027358abdc0d711adec939f7e139f3bc6981a905457663cf94a22f13
-
memory/1012-56-0x0000000000000000-mapping.dmp
-
memory/1012-63-0x0000000000750000-0x0000000000769000-memory.dmpFilesize
100KB
-
memory/1012-64-0x0000000000750000-0x0000000000769000-memory.dmpFilesize
100KB
-
memory/2028-54-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/2028-57-0x0000000000F80000-0x000000000118B000-memory.dmpFilesize
2.0MB