b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f

Analysis

max time kernel
42s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe
Size

319KB
MD5

14b5838f141bb5106acd5a6b7f4e8f30
SHA1

6bbfad3803cbc7c2ae32a7b449ac2cea022f48ab
SHA256

b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f
SHA512

c79da5a2a378a57135f1ac3fe6892f082c4b281c0124d2df0b1f019853b6e049203f83e67b5e4e4bbb8c13bb463c7fbc635f81f0dd25cf0c822d2571bda6c143
SSDEEP

6144:f6zF1huD31TtVOQ7wf5zVu36xrRanr0WDfWN2S3zaEmgsj74:guD1Rdwf5zRkr0Wig7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
872	Crypted.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe
1988	b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
952	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 872	1988	b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe	29
PID 1988 wrote to memory of 872	1988	b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe	29
PID 1988 wrote to memory of 872	1988	b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe	29
PID 1988 wrote to memory of 872	1988	b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe	29
PID 872 wrote to memory of 1188	872	Crypted.exe	30
PID 872 wrote to memory of 1188	872	Crypted.exe	30
PID 872 wrote to memory of 1188	872	Crypted.exe	30

C:\Users\Admin\AppData\Local\Temp\b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe
"C:\Users\Admin\AppData\Local\Temp\b195c234eb83913067eb2921077266a6cee5dacea08f8c8bbdcbdb635104043f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 404
    3⤵
    PID:1188

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\862150_498751900217675_874178382_n.ico

Filesize
133KB

MD5
b86a2d3fb9fde1a7a700a5bb84bf4f8d

SHA1
b1dbbfb8da7ebd214ab6eb5d45b7b46e6f5dee59

SHA256
1b39fe950012435cc09025e311b3d0b41a0f9672d3e8be6e70a330e223030684

SHA512
9d8c505d53f889ba4f73b2a3e0cc69e5d9f7fa996986376ba7f0f3ceee0ccba7582bc7a499fb8ebabb71470aef409e3fbb93519cd6aa9719aa4d9692ac18d4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
42KB

MD5
89957dc086981aabce57e759f3fc2dd8

SHA1
c2af7ca5453002fe72769b0978a42e445e1b88d5

SHA256
da48e2d1b810411931a1e7347f66ceda94f4b6393c84ddaf460c4538950c0676

SHA512
8894e18b4fd0e920245c4655ba9f6220a50479b818b449ac10b8397e34681c8bba2fb05a214cbff7d9fc057cbf2dafe54784acbebcae8a11ec6ccac2f3afaf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
42KB

MD5
89957dc086981aabce57e759f3fc2dd8

SHA1
c2af7ca5453002fe72769b0978a42e445e1b88d5

SHA256
da48e2d1b810411931a1e7347f66ceda94f4b6393c84ddaf460c4538950c0676

SHA512
8894e18b4fd0e920245c4655ba9f6220a50479b818b449ac10b8397e34681c8bba2fb05a214cbff7d9fc057cbf2dafe54784acbebcae8a11ec6ccac2f3afaf06

Download Submit
\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
42KB

MD5
89957dc086981aabce57e759f3fc2dd8

SHA1
c2af7ca5453002fe72769b0978a42e445e1b88d5

SHA256
da48e2d1b810411931a1e7347f66ceda94f4b6393c84ddaf460c4538950c0676

SHA512
8894e18b4fd0e920245c4655ba9f6220a50479b818b449ac10b8397e34681c8bba2fb05a214cbff7d9fc057cbf2dafe54784acbebcae8a11ec6ccac2f3afaf06

Download Submit
\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
42KB

MD5
89957dc086981aabce57e759f3fc2dd8

SHA1
c2af7ca5453002fe72769b0978a42e445e1b88d5

SHA256
da48e2d1b810411931a1e7347f66ceda94f4b6393c84ddaf460c4538950c0676

SHA512
8894e18b4fd0e920245c4655ba9f6220a50479b818b449ac10b8397e34681c8bba2fb05a214cbff7d9fc057cbf2dafe54784acbebcae8a11ec6ccac2f3afaf06

Download Submit
memory/872-61-0x000007FEF3DC0000-0x000007FEF47E3000-memory.dmp

Filesize
10.1MB

Download
memory/1188-63-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download
memory/1988-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download