7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5

Analysis

max time kernel
186s
max time network
193s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe
Size

1.2MB
MD5

b3adf2a8385cda4743f7f66b229b1298
SHA1

9fc23c8b0d5b1ed647d2a6f6b1a4ee967b95504d
SHA256

7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5
SHA512

c04798ee8ebd041a2a7aae85e9f6bf30138ad5bf689986f07083429dfabbdb2cb849a9ffcedee28fa978079caacb353e81b53093d4d1fdac5ed052a255b1d264
SSDEEP

24576:1LQwGCeFDUp3+VQ6VFLmNnsj2odv7eR1bAOBGo+gXZms97x:VQwGCY4Nz6VFLmNkr7eHAOBGo3x

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1540	6306698.exe

Deletes itself 1 IoCs

pid	Process
1232	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1232	cmd.exe
1232	cmd.exe
1540	6306698.exe
1540	6306698.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\6306698 = "\"C:\\Users\\Admin\\AppData\\Local\\6306698.exe\" 0 46 "	6306698.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5 = "\"C:\\Users\\Admin\\AppData\\Local\\6306698.exe\" 0 50 "	7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	6306698.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2036	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1540	6306698.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe
1540	6306698.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1232	920	7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe	27
PID 920 wrote to memory of 1232	920	7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe	27
PID 920 wrote to memory of 1232	920	7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe	27
PID 920 wrote to memory of 1232	920	7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe	27
PID 1232 wrote to memory of 2036	1232	cmd.exe	29
PID 1232 wrote to memory of 2036	1232	cmd.exe	29
PID 1232 wrote to memory of 2036	1232	cmd.exe	29
PID 1232 wrote to memory of 2036	1232	cmd.exe	29
PID 1232 wrote to memory of 1540	1232	cmd.exe	30
PID 1232 wrote to memory of 1540	1232	cmd.exe	30
PID 1232 wrote to memory of 1540	1232	cmd.exe	30
PID 1232 wrote to memory of 1540	1232	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe
"C:\Users\Admin\AppData\Local\Temp\7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\56927.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5 /f
    3⤵
    - Modifies registry key
    PID:2036
- - C:\Users\Admin\AppData\Local\6306698.exe
    C:\Users\Admin\AppData\Local\6306698.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6306698.exe

Filesize
1.2MB

MD5
b3adf2a8385cda4743f7f66b229b1298

SHA1
9fc23c8b0d5b1ed647d2a6f6b1a4ee967b95504d

SHA256
7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5

SHA512
c04798ee8ebd041a2a7aae85e9f6bf30138ad5bf689986f07083429dfabbdb2cb849a9ffcedee28fa978079caacb353e81b53093d4d1fdac5ed052a255b1d264

Download Submit
C:\Users\Admin\AppData\Local\6306698.exe

Filesize
1.2MB

MD5
b3adf2a8385cda4743f7f66b229b1298

SHA1
9fc23c8b0d5b1ed647d2a6f6b1a4ee967b95504d

SHA256
7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5

SHA512
c04798ee8ebd041a2a7aae85e9f6bf30138ad5bf689986f07083429dfabbdb2cb849a9ffcedee28fa978079caacb353e81b53093d4d1fdac5ed052a255b1d264

Download Submit
C:\Users\Admin\AppData\Local\Temp\56927.bat

Filesize
454B

MD5
bb1ffc1407fd2ee1b983116d68a324dd

SHA1
8c20126645327fa6bb01904701f70c1ff174e9b6

SHA256
1f7fda798037f36a91bd18c3f29d577dd58c04cbba2cf6d9ada617b76aa5a968

SHA512
628aeb74202e0b69373c1530595c9e4eb5e1c8d4d05aa0ad8a8384b35e683aed8d5bc25b812661aa1d9fde3749e8c53bf12ef97c3fdd61063aeecb148fc7aa37

Download Submit
\Users\Admin\AppData\Local\6306698.exe

Filesize
1.2MB

MD5
b3adf2a8385cda4743f7f66b229b1298

SHA1
9fc23c8b0d5b1ed647d2a6f6b1a4ee967b95504d

SHA256
7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5

SHA512
c04798ee8ebd041a2a7aae85e9f6bf30138ad5bf689986f07083429dfabbdb2cb849a9ffcedee28fa978079caacb353e81b53093d4d1fdac5ed052a255b1d264

Download Submit
\Users\Admin\AppData\Local\6306698.exe

Filesize
1.2MB

MD5
b3adf2a8385cda4743f7f66b229b1298

SHA1
9fc23c8b0d5b1ed647d2a6f6b1a4ee967b95504d

SHA256
7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5

SHA512
c04798ee8ebd041a2a7aae85e9f6bf30138ad5bf689986f07083429dfabbdb2cb849a9ffcedee28fa978079caacb353e81b53093d4d1fdac5ed052a255b1d264

Download Submit
\Users\Admin\AppData\Local\6306698.exe

Filesize
1.2MB

MD5
b3adf2a8385cda4743f7f66b229b1298

SHA1
9fc23c8b0d5b1ed647d2a6f6b1a4ee967b95504d

SHA256
7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5

SHA512
c04798ee8ebd041a2a7aae85e9f6bf30138ad5bf689986f07083429dfabbdb2cb849a9ffcedee28fa978079caacb353e81b53093d4d1fdac5ed052a255b1d264

Download Submit
\Users\Admin\AppData\Local\6306698.exe

Filesize
1.2MB

MD5
b3adf2a8385cda4743f7f66b229b1298

SHA1
9fc23c8b0d5b1ed647d2a6f6b1a4ee967b95504d

SHA256
7832856d9efb5292cbc9d01a4a5dc094b334615bf1d0453071654e7de5fe10b5

SHA512
c04798ee8ebd041a2a7aae85e9f6bf30138ad5bf689986f07083429dfabbdb2cb849a9ffcedee28fa978079caacb353e81b53093d4d1fdac5ed052a255b1d264

Download Submit
memory/920-58-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/920-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/920-56-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/920-55-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1540-67-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1540-69-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1540-71-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download