Overview

overview

8

Static

static

bf7720a475...9e.exe

windows7-x64

8

bf7720a475...9e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e.exe

  • Size

    126KB

  • MD5

    c53c07a60b70dc13d833d18432b97750

  • SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

  • SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

  • SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

  • SSDEEP

    3072:bz1tx+SuJin7ClTa4aLYa6KQfxzqZ5l5sXN8F2P1PHjrRh:bzrduYnWwH6KQfxUlKQyP/

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e.exe
    "C:\Users\Admin\AppData\Local\Temp\bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Users\Admin\AppData\Local\Temp\bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e.exe
      "C:\Users\Admin\AppData\Local\Temp\bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:696
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            5⤵
            • Suspicious behavior: MapViewOfSection
            PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ASILlzCwXBSr\BQ1Vb72t6bIX.exe
    Filesize

    126KB

    MD5

    c53c07a60b70dc13d833d18432b97750

    SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

    SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

    SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
    Filesize

    126KB

    MD5

    c53c07a60b70dc13d833d18432b97750

    SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

    SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

    SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
    Filesize

    126KB

    MD5

    c53c07a60b70dc13d833d18432b97750

    SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

    SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

    SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
    Filesize

    126KB

    MD5

    c53c07a60b70dc13d833d18432b97750

    SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

    SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

    SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mtKRzHJklN.lnk
    Filesize

    940B

    MD5

    5991bb2a36db4122ef5c22f670287b16

    SHA1

    a4c0c53bda43463a1d59b9dce4bbf5b49abe3c81

    SHA256

    71c86f226841a66124d633eb3c21aa0b26d60b7c3e6023e2eaa0570537856671

    SHA512

    7ec90daeef171b6d71bcbafed96eb15effd0c54675bee391b8cc670868e350033d99d8be6f5b0dbb5d10df7003fff6cb9f26c4beec7ed3bf2a30af7cd987b98b

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
    Filesize

    514B

    MD5

    5d3bd53f63d25ce546a4db8d46ee9dba

    SHA1

    67ccd5f22134e7376b0701e7bb0f3c33ead03d82

    SHA256

    309b8602ac2df95ae422567098d466f5c7a17078172ccfaccc1550135d031490

    SHA512

    7937c48f84da1300db2abdcb9ebbf64551a7f73fd0328ea20268a3e2b961c9f7369367ea849ad1a4635f432326ac9be11f65c882122e20cc27056a94c68da1d6

    Download Submit

  • \Users\Admin\AppData\Roaming\ASILlzCwXBSr\BQ1Vb72t6bIX.exe
    Filesize

    126KB

    MD5

    c53c07a60b70dc13d833d18432b97750

    SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

    SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

    SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

    Download Submit

  • \Users\Admin\AppData\Roaming\ASILlzCwXBSr\BQ1Vb72t6bIX.exe
    Filesize

    126KB

    MD5

    c53c07a60b70dc13d833d18432b97750

    SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

    SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

    SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
    Filesize

    126KB

    MD5

    c53c07a60b70dc13d833d18432b97750

    SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

    SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

    SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
    Filesize

    126KB

    MD5

    c53c07a60b70dc13d833d18432b97750

    SHA1

    b222ed4eb66f41a70e5c2a18b37c611ae4975883

    SHA256

    bf7720a475a3691c80baca7463a94433f06971d5e3c834557bbe94f665d4d09e

    SHA512

    b8a753d41a0e26ae866b78cbd8a6b663672953bba84ce089f88db50c19dd8f9e388b5e4f53efae1eedcdb4dee401bf4e352a7520cd3f793e018d2791c70cabd8

    Download Submit

  • memory/696-80-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/696-89-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/696-83-0x0000000000F50000-0x0000000000F68000-memory.dmp

    Filesize

    96KB

    Download

  • memory/696-97-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/904-55-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/904-54-0x0000000075661000-0x0000000075663000-memory.dmp

    Filesize

    8KB

    Download

  • memory/904-90-0x0000000004320000-0x0000000004346000-memory.dmp

    Filesize

    152KB

    Download

  • memory/904-88-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/904-96-0x0000000074420000-0x00000000749CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/904-86-0x0000000004320000-0x0000000004346000-memory.dmp

    Filesize

    152KB

    Download

  • memory/904-87-0x0000000004450000-0x0000000004461000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1052-77-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1052-78-0x0000000000390000-0x00000000003B7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1092-84-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1180-85-0x0000000000120000-0x0000000000147000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1208-81-0x0000000002200000-0x0000000002227000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1208-82-0x0000000002940000-0x0000000002952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1676-59-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1676-57-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1676-56-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1676-65-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1728-79-0x0000000000060000-0x0000000000087000-memory.dmp

    Filesize

    156KB

    Download