Analysis
-
max time kernel
37s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 20:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.16929.9956.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.FileRepMalware.16929.9956.exe
-
Size
272KB
-
MD5
f2455fcb7954e649589e7406fd5acc97
-
SHA1
2532f710ed4ee7bae1be0f8726b4d599fda03973
-
SHA256
be8e8f4846b6b166d049c45dba8a91323aac80bc6fb01889de7f99442a577e1a
-
SHA512
b3ad6211317fa9159adb8a0a9a2486d091bc56bce288a0843005a90e761f4832d34b60ee28b5fd2c5b4bac5ac2962c144051de99f264bc4d2f6311bfb7711e5a
-
SSDEEP
6144:QBn1e3XWMCcAYtE3R0n0OZL/mS3SnBLOag9YMHLcxzcsc:goGaAYt4OrgO5Zcxzcsc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
eubkfbzr.exepid process 968 eubkfbzr.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.16929.9956.exepid process 1672 SecuriteInfo.com.FileRepMalware.16929.9956.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.16929.9956.exedescription pid process target process PID 1672 wrote to memory of 968 1672 SecuriteInfo.com.FileRepMalware.16929.9956.exe eubkfbzr.exe PID 1672 wrote to memory of 968 1672 SecuriteInfo.com.FileRepMalware.16929.9956.exe eubkfbzr.exe PID 1672 wrote to memory of 968 1672 SecuriteInfo.com.FileRepMalware.16929.9956.exe eubkfbzr.exe PID 1672 wrote to memory of 968 1672 SecuriteInfo.com.FileRepMalware.16929.9956.exe eubkfbzr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.16929.9956.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.16929.9956.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe"C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe" C:\Users\Admin\AppData\Local\Temp\qnhjmzefy.uas2⤵
- Executes dropped EXE
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exeFilesize
122KB
MD536acfdb1046bd68aa0e6cc2ab4e4c3bd
SHA175a07369397553b78f46752b160893893188dd90
SHA25606437c9f7a08d1d71708fc123595278f2f3f8bc28a1984ef0020fe982f767f99
SHA51206c47082dde926e47f60acf806e273f875804a1a28bc9d4a4df050a83a93700d8234e2cc97c4e4b2327010885fa0e959d3646c8936f78a78ca27a7d023e025d6
-
\Users\Admin\AppData\Local\Temp\eubkfbzr.exeFilesize
122KB
MD536acfdb1046bd68aa0e6cc2ab4e4c3bd
SHA175a07369397553b78f46752b160893893188dd90
SHA25606437c9f7a08d1d71708fc123595278f2f3f8bc28a1984ef0020fe982f767f99
SHA51206c47082dde926e47f60acf806e273f875804a1a28bc9d4a4df050a83a93700d8234e2cc97c4e4b2327010885fa0e959d3646c8936f78a78ca27a7d023e025d6
-
memory/968-56-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB