0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 01:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe
Size

1.3MB
MD5

570a7988ce83224f704f8d64e8658c92
SHA1

24add85937b597ecedfd7761b3636249d8038c20
SHA256

0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c
SHA512

632346f5a34f21fae164f75b26c416423384b7450a13730208fccb5a13a78e1f73f356cd22fd0461e2fb6e3604e4d0c9e07e4b27e19968951419ccec3f3dee32
SSDEEP

24576:/mOMSPE4lNw7xXZTvUlnFJFnIZe+ZBWQBlgict6Q14vHqrJPtLdQdwAKppR:fPiTsnFJlIcwWClgN4KJtxQSp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1472	setup.exe
1936	setup.tmp

Loads dropped DLL 7 IoCs

pid	Process
1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe
1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe
1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe
1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe
1472	setup.exe
1936	setup.tmp
1936	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1472	1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe	26
PID 1504 wrote to memory of 1472	1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe	26
PID 1504 wrote to memory of 1472	1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe	26
PID 1504 wrote to memory of 1472	1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe	26
PID 1504 wrote to memory of 1472	1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe	26
PID 1504 wrote to memory of 1472	1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe	26
PID 1504 wrote to memory of 1472	1504	0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe	26
PID 1472 wrote to memory of 1936	1472	setup.exe	27
PID 1472 wrote to memory of 1936	1472	setup.exe	27
PID 1472 wrote to memory of 1936	1472	setup.exe	27
PID 1472 wrote to memory of 1936	1472	setup.exe	27
PID 1472 wrote to memory of 1936	1472	setup.exe	27
PID 1472 wrote to memory of 1936	1472	setup.exe	27
PID 1472 wrote to memory of 1936	1472	setup.exe	27

C:\Users\Admin\AppData\Local\Temp\0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe
"C:\Users\Admin\AppData\Local\Temp\0ad0bcbe066ee33e370efdce11dfe299af274a77a5798851eaed8314242fbc2c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\is-K03AG.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-K03AG.tmp\setup.tmp" /SL5="$10172,753521,138752,C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.2MB

MD5
8e4c9d0b388868e607853179422266d4

SHA1
ad1e6fcc23e55fcf1a08b6d475b6ea09dd5c3f81

SHA256
c7ed743205bc60a9d4494252314153fe736c1a14f320f1850bce0bb0ba6e5f1a

SHA512
d28fd8f4323da7fcc849c55468c9245d3cdb5184718882ad88b41018e3ce45bdf51a74adae6ab076525c0582aa010105a2d53b6f2454adbf7fccd677c862b096

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.2MB

MD5
8e4c9d0b388868e607853179422266d4

SHA1
ad1e6fcc23e55fcf1a08b6d475b6ea09dd5c3f81

SHA256
c7ed743205bc60a9d4494252314153fe736c1a14f320f1850bce0bb0ba6e5f1a

SHA512
d28fd8f4323da7fcc849c55468c9245d3cdb5184718882ad88b41018e3ce45bdf51a74adae6ab076525c0582aa010105a2d53b6f2454adbf7fccd677c862b096

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K03AG.tmp\setup.tmp

Filesize
1.1MB

MD5
b78df96d71ce996fbda12992b9648597

SHA1
4ea22cdc3c3d66b59bef1489515edd9bb296be62

SHA256
9a112915cee1102fd5b4a3142b4e2170ac889db9ba70abac426606d86c5217ac

SHA512
61fdc82f521ec6a422a353a7b529acb7a598838725e7231356a585c01d8d3f196eb6efac144e76898228a87e6bdd4a2799b00c8d5f367b502ad9cca0c14951eb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.2MB

MD5
8e4c9d0b388868e607853179422266d4

SHA1
ad1e6fcc23e55fcf1a08b6d475b6ea09dd5c3f81

SHA256
c7ed743205bc60a9d4494252314153fe736c1a14f320f1850bce0bb0ba6e5f1a

SHA512
d28fd8f4323da7fcc849c55468c9245d3cdb5184718882ad88b41018e3ce45bdf51a74adae6ab076525c0582aa010105a2d53b6f2454adbf7fccd677c862b096

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.2MB

MD5
8e4c9d0b388868e607853179422266d4

SHA1
ad1e6fcc23e55fcf1a08b6d475b6ea09dd5c3f81

SHA256
c7ed743205bc60a9d4494252314153fe736c1a14f320f1850bce0bb0ba6e5f1a

SHA512
d28fd8f4323da7fcc849c55468c9245d3cdb5184718882ad88b41018e3ce45bdf51a74adae6ab076525c0582aa010105a2d53b6f2454adbf7fccd677c862b096

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.2MB

MD5
8e4c9d0b388868e607853179422266d4

SHA1
ad1e6fcc23e55fcf1a08b6d475b6ea09dd5c3f81

SHA256
c7ed743205bc60a9d4494252314153fe736c1a14f320f1850bce0bb0ba6e5f1a

SHA512
d28fd8f4323da7fcc849c55468c9245d3cdb5184718882ad88b41018e3ce45bdf51a74adae6ab076525c0582aa010105a2d53b6f2454adbf7fccd677c862b096

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
1.2MB

MD5
8e4c9d0b388868e607853179422266d4

SHA1
ad1e6fcc23e55fcf1a08b6d475b6ea09dd5c3f81

SHA256
c7ed743205bc60a9d4494252314153fe736c1a14f320f1850bce0bb0ba6e5f1a

SHA512
d28fd8f4323da7fcc849c55468c9245d3cdb5184718882ad88b41018e3ce45bdf51a74adae6ab076525c0582aa010105a2d53b6f2454adbf7fccd677c862b096

Download Submit
\Users\Admin\AppData\Local\Temp\is-K03AG.tmp\setup.tmp

Filesize
1.1MB

MD5
b78df96d71ce996fbda12992b9648597

SHA1
4ea22cdc3c3d66b59bef1489515edd9bb296be62

SHA256
9a112915cee1102fd5b4a3142b4e2170ac889db9ba70abac426606d86c5217ac

SHA512
61fdc82f521ec6a422a353a7b529acb7a598838725e7231356a585c01d8d3f196eb6efac144e76898228a87e6bdd4a2799b00c8d5f367b502ad9cca0c14951eb

Download Submit
\Users\Admin\AppData\Local\Temp\is-VR22D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VR22D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1472-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1472-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download