91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0

Analysis

max time kernel
243s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe
Size

367KB
MD5

73cd715094f2de0ef393e0fcb900434a
SHA1

c154b55a5e5ecab16f7b823552861d4d2c5268da
SHA256

91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0
SHA512

7114230f658bf8a633842800299cc45af6ee5a0ea94cd3c9a8100b88cb4ba6780aa5706b19a28209c3e2c79f42542d1e6f2434a745993f9f9d24600031507e7e
SSDEEP

6144:J1dlZro5yiOXUf80T2RwpF4qxTp5TRV2X4NpiVuesYUCpll:J1dlZo5yDAiwp/TptRoX47iwesYll

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1484	144.exe
1660	server.exe
672	server.exe

Loads dropped DLL 9 IoCs

pid	Process
296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe
296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe
1484	144.exe
1484	144.exe
1484	144.exe
1660	server.exe
1484	144.exe
1484	144.exe
672	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	144.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	144.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Extracted\fõBŸ*á•¸5Áå¬áPµäü¤Á©ÑŽœ7az$°é¯‚2î¿.Up<®$ÆÖ7 ´._aQ}œ¼:¿™±€àl„0Ìàÿ	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1660	server.exe
1660	server.exe
672	server.exe
672	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1376	DllHost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 1484	296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	28
PID 296 wrote to memory of 1484	296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	28
PID 296 wrote to memory of 1484	296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	28
PID 296 wrote to memory of 1484	296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	28
PID 296 wrote to memory of 1484	296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	28
PID 296 wrote to memory of 1484	296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	28
PID 296 wrote to memory of 1484	296	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	28
PID 1484 wrote to memory of 1660	1484	144.exe	29
PID 1484 wrote to memory of 1660	1484	144.exe	29
PID 1484 wrote to memory of 1660	1484	144.exe	29
PID 1484 wrote to memory of 1660	1484	144.exe	29
PID 1484 wrote to memory of 1660	1484	144.exe	29
PID 1484 wrote to memory of 1660	1484	144.exe	29
PID 1484 wrote to memory of 1660	1484	144.exe	29
PID 1660 wrote to memory of 1236	1660	server.exe	10
PID 1660 wrote to memory of 1236	1660	server.exe	10
PID 1660 wrote to memory of 1236	1660	server.exe	10
PID 1660 wrote to memory of 1236	1660	server.exe	10
PID 1484 wrote to memory of 672	1484	144.exe	30
PID 1484 wrote to memory of 672	1484	144.exe	30
PID 1484 wrote to memory of 672	1484	144.exe	30
PID 1484 wrote to memory of 672	1484	144.exe	30
PID 1484 wrote to memory of 672	1484	144.exe	30
PID 1484 wrote to memory of 672	1484	144.exe	30
PID 1484 wrote to memory of 672	1484	144.exe	30
PID 672 wrote to memory of 1236	672	server.exe	10
PID 672 wrote to memory of 1236	672	server.exe	10
PID 672 wrote to memory of 1236	672	server.exe	10
PID 672 wrote to memory of 1236	672	server.exe	10

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe
  "C:\Users\Admin\AppData\Local\Temp\91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe"
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Extracted\144.exe
    "C:\Extracted\144.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:672

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\144.exe

Filesize
260KB

MD5
4e584da0797d689f6c4a6c6d683618ae

SHA1
371e4cb7065883d5a3d52fbc97bdb38639207177

SHA256
ac2e48d514efc085960a28422fcfb17599b8d4cb9c5f6b15a90ca3faf6fd1da3

SHA512
9b393d1579736c4bcb1673affae86d5cd526ac9c972d13d102cd9fe859f23d23e8a9835201e7a7f4d4b70826db1d33e1c746fb71c36bd5e286cd385cbc39c816

Download Submit
C:\Extracted\144.exe

Filesize
260KB

MD5
4e584da0797d689f6c4a6c6d683618ae

SHA1
371e4cb7065883d5a3d52fbc97bdb38639207177

SHA256
ac2e48d514efc085960a28422fcfb17599b8d4cb9c5f6b15a90ca3faf6fd1da3

SHA512
9b393d1579736c4bcb1673affae86d5cd526ac9c972d13d102cd9fe859f23d23e8a9835201e7a7f4d4b70826db1d33e1c746fb71c36bd5e286cd385cbc39c816

Download Submit
C:\Extracted\27697_105748142806160_100001129239010_42533_367968_n.jpg

Filesize
31KB

MD5
80299479a9f1f18d651725858f30f3ea

SHA1
3f85d1e740ae7d4bbeab977b81fa0c6bb24c7256

SHA256
238a27dc12d13c72ee4378d0cd672113df9491c0766df1f62198743fcff028b1

SHA512
8c8b64d1f8169497a36f1a52724fb2c7198d74b90326c0a32b77839e395c5d98b775e245bd332a3301e48af7f43f142d3c27d832bd969e38da91aaccf5514a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
\Extracted\144.exe

Filesize
260KB

MD5
4e584da0797d689f6c4a6c6d683618ae

SHA1
371e4cb7065883d5a3d52fbc97bdb38639207177

SHA256
ac2e48d514efc085960a28422fcfb17599b8d4cb9c5f6b15a90ca3faf6fd1da3

SHA512
9b393d1579736c4bcb1673affae86d5cd526ac9c972d13d102cd9fe859f23d23e8a9835201e7a7f4d4b70826db1d33e1c746fb71c36bd5e286cd385cbc39c816

Download Submit
\Extracted\144.exe

Filesize
260KB

MD5
4e584da0797d689f6c4a6c6d683618ae

SHA1
371e4cb7065883d5a3d52fbc97bdb38639207177

SHA256
ac2e48d514efc085960a28422fcfb17599b8d4cb9c5f6b15a90ca3faf6fd1da3

SHA512
9b393d1579736c4bcb1673affae86d5cd526ac9c972d13d102cd9fe859f23d23e8a9835201e7a7f4d4b70826db1d33e1c746fb71c36bd5e286cd385cbc39c816

Download Submit
\Extracted\144.exe

Filesize
260KB

MD5
4e584da0797d689f6c4a6c6d683618ae

SHA1
371e4cb7065883d5a3d52fbc97bdb38639207177

SHA256
ac2e48d514efc085960a28422fcfb17599b8d4cb9c5f6b15a90ca3faf6fd1da3

SHA512
9b393d1579736c4bcb1673affae86d5cd526ac9c972d13d102cd9fe859f23d23e8a9835201e7a7f4d4b70826db1d33e1c746fb71c36bd5e286cd385cbc39c816

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
memory/296-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/672-90-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/672-94-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1236-77-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1484-80-0x0000000000780000-0x00000000007FC000-memory.dmp

Filesize
496KB

Download
memory/1484-65-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/1484-89-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1484-95-0x0000000001000000-0x000000000107C000-memory.dmp

Filesize
496KB

Download
memory/1484-62-0x0000000001000000-0x000000000107C000-memory.dmp

Filesize
496KB

Download
memory/1484-74-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1484-64-0x0000000001000000-0x000000000107C000-memory.dmp

Filesize
496KB

Download
memory/1484-67-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1484-66-0x0000000000780000-0x00000000007FC000-memory.dmp

Filesize
496KB

Download
memory/1660-76-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1660-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1660-81-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1660-75-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download