Analysis

  • max time kernel
    35s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 14:28

General

  • Target

    250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe

  • Size

    646KB

  • MD5

    4f75a4f0e4223d49c9c1f83eda657087

  • SHA1

    70f5045c407146676e55c2311f75adc52851b85b

  • SHA256

    250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3

  • SHA512

    87b92943e01ac3c3305ddc57d22984401b86577fd081d82d2fb1b102cb8ceb8bc1d2a267934d5c300db7a78fe1c8402844a8321cee0cfc9b727317caa6547f74

  • SSDEEP

    12288:b1dlZo5y8E3k12MgGiFELWGgkeMzlELnqRs+gN/61XhhOzkoDQQyazsB3t:b1dlZo51HcKLvcMzlYTBS1Xhhkki6v

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
        "C:\Users\Admin\AppData\Local\Temp\250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Extracted\Hackweball.exe
          "C:\Extracted\Hackweball.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1516
        • C:\Extracted\server.exe
          "C:\Extracted\server.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1708
          • \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe
            "C:\Extracted\server.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:568

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Extracted\Hackweball.exe

      Filesize

      224KB

      MD5

      c9741e5cf9c1e529f9777de1701f8375

      SHA1

      cd0e97823bb155f1724b134a929306be4ec536bf

      SHA256

      f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae

      SHA512

      b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40

    • C:\Extracted\server.exe

      Filesize

      394KB

      MD5

      4564a9fcbd275eebde0ec8bcddf39561

      SHA1

      e61782d6214dfc59717db6229cdbc2f6b7a5c67b

      SHA256

      5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

      SHA512

      d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

    • C:\Extracted\server.exe

      Filesize

      394KB

      MD5

      4564a9fcbd275eebde0ec8bcddf39561

      SHA1

      e61782d6214dfc59717db6229cdbc2f6b7a5c67b

      SHA256

      5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

      SHA512

      d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

    • C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe

      Filesize

      17KB

      MD5

      e6361c7005b104dfa196e7bba3026a61

      SHA1

      645820b4f900b28b488e0de12df4e3e45aae55bc

      SHA256

      5015077f26651c8186111e79eac3abe04de303aa83e6b6c03526ec0e62c46a8d

      SHA512

      193a4410b729a1d0ac73cdcd5f20f68c6b86be079e3764d4671907f42870dbf0dae6707c0798324302cec972cb22f5f7c7692e57ac623141387839a6a2f82c8c

    • \Extracted\Hackweball.exe

      Filesize

      224KB

      MD5

      c9741e5cf9c1e529f9777de1701f8375

      SHA1

      cd0e97823bb155f1724b134a929306be4ec536bf

      SHA256

      f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae

      SHA512

      b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40

    • \Extracted\Hackweball.exe

      Filesize

      224KB

      MD5

      c9741e5cf9c1e529f9777de1701f8375

      SHA1

      cd0e97823bb155f1724b134a929306be4ec536bf

      SHA256

      f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae

      SHA512

      b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40

    • \Extracted\server.exe

      Filesize

      394KB

      MD5

      4564a9fcbd275eebde0ec8bcddf39561

      SHA1

      e61782d6214dfc59717db6229cdbc2f6b7a5c67b

      SHA256

      5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

      SHA512

      d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

    • \Extracted\server.exe

      Filesize

      394KB

      MD5

      4564a9fcbd275eebde0ec8bcddf39561

      SHA1

      e61782d6214dfc59717db6229cdbc2f6b7a5c67b

      SHA256

      5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

      SHA512

      d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

    • \Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Virtual\STUBEXE\8.0.1112\@APPDIR@\server.exe

      Filesize

      17KB

      MD5

      e6361c7005b104dfa196e7bba3026a61

      SHA1

      645820b4f900b28b488e0de12df4e3e45aae55bc

      SHA256

      5015077f26651c8186111e79eac3abe04de303aa83e6b6c03526ec0e62c46a8d

      SHA512

      193a4410b729a1d0ac73cdcd5f20f68c6b86be079e3764d4671907f42870dbf0dae6707c0798324302cec972cb22f5f7c7692e57ac623141387839a6a2f82c8c

    • memory/568-80-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/568-78-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/568-87-0x0000000000480000-0x00000000004F2000-memory.dmp

      Filesize

      456KB

    • memory/568-83-0x0000000010000000-0x0000000010011000-memory.dmp

      Filesize

      68KB

    • memory/568-82-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/568-81-0x0000000000480000-0x00000000004F2000-memory.dmp

      Filesize

      456KB

    • memory/568-79-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/1288-84-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

      Filesize

      24KB

    • memory/1536-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

      Filesize

      8KB

    • memory/1708-68-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

    • memory/1708-73-0x0000000000350000-0x00000000003C2000-memory.dmp

      Filesize

      456KB

    • memory/1708-72-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

    • memory/1708-71-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

    • memory/1708-70-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

    • memory/1708-69-0x0000000010000000-0x0000000010037000-memory.dmp

      Filesize

      220KB

    • memory/1708-88-0x0000000000350000-0x00000000003C2000-memory.dmp

      Filesize

      456KB