Analysis

  • max time kernel
    151s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 03:26

General

  • Target

    c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe

  • Size

    80KB

  • MD5

    c5acbe75fc88475610ade31fa594a71b

  • SHA1

    664b8032ba52aa926ba8f01a32dcf50fc1079df6

  • SHA256

    c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19

  • SHA512

    393be8ef508808d3738bc9a09ac531a1432b1078259b3d982bc4fe6ac4e1e6c720251b7da2a5059b64510309f8cabfe3aadf30baec9ea77889baa740bb450f12

  • SSDEEP

    768:E4wqbVmf0fDUop1AShqG9jy1R2g7VnxPPB4qHfA5pcZdFveLuRQ1H2GBVI6Z:J4f8DRCST9XUZHfAUZ7yuRQ11VI6Z

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe
    "C:\Users\Admin\AppData\Local\Temp\c156a1640742b4dff1b084e66c33fde8234a9eadd68e75a6c7f54b411af0ab19.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\rcdaiw.exe
      "C:\Users\Admin\rcdaiw.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\rcdaiw.exe

    Filesize

    80KB

    MD5

    98b8fb6fb004f08926b0ec4252b16392

    SHA1

    f090f3bc130a5e6c6182aa6af1be8cf10d3195c7

    SHA256

    f9c2ec286e9f3ff66fbe80cccc7cdf315a5a51736fdb954418405102019387d2

    SHA512

    54dda28e4e4bf826c2f5b433cfe7f1f823c81270c441aea9fde009e9b66115bdb2863e6c9c095afe7ca39117aea039055b27a6ed030aa9976f7fef8e05ad3660

  • C:\Users\Admin\rcdaiw.exe

    Filesize

    80KB

    MD5

    98b8fb6fb004f08926b0ec4252b16392

    SHA1

    f090f3bc130a5e6c6182aa6af1be8cf10d3195c7

    SHA256

    f9c2ec286e9f3ff66fbe80cccc7cdf315a5a51736fdb954418405102019387d2

    SHA512

    54dda28e4e4bf826c2f5b433cfe7f1f823c81270c441aea9fde009e9b66115bdb2863e6c9c095afe7ca39117aea039055b27a6ed030aa9976f7fef8e05ad3660

  • \Users\Admin\rcdaiw.exe

    Filesize

    80KB

    MD5

    98b8fb6fb004f08926b0ec4252b16392

    SHA1

    f090f3bc130a5e6c6182aa6af1be8cf10d3195c7

    SHA256

    f9c2ec286e9f3ff66fbe80cccc7cdf315a5a51736fdb954418405102019387d2

    SHA512

    54dda28e4e4bf826c2f5b433cfe7f1f823c81270c441aea9fde009e9b66115bdb2863e6c9c095afe7ca39117aea039055b27a6ed030aa9976f7fef8e05ad3660

  • \Users\Admin\rcdaiw.exe

    Filesize

    80KB

    MD5

    98b8fb6fb004f08926b0ec4252b16392

    SHA1

    f090f3bc130a5e6c6182aa6af1be8cf10d3195c7

    SHA256

    f9c2ec286e9f3ff66fbe80cccc7cdf315a5a51736fdb954418405102019387d2

    SHA512

    54dda28e4e4bf826c2f5b433cfe7f1f823c81270c441aea9fde009e9b66115bdb2863e6c9c095afe7ca39117aea039055b27a6ed030aa9976f7fef8e05ad3660

  • memory/1600-56-0x00000000752B1000-0x00000000752B3000-memory.dmp

    Filesize

    8KB