Analysis
-
max time kernel
44s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
clientIC.exe
Resource
win7-20220901-en
General
-
Target
clientIC.exe
-
Size
233KB
-
MD5
6748ab9c3f718189aa1942e6465c5de4
-
SHA1
872407ac71d607b1d02b1e116ce7c1a788078888
-
SHA256
d7cc0491b79a1024a4b9cdff777d016b9ccd6ecb7b335ccb54f61fea89e345cd
-
SHA512
90710bb4a02c94c9274aa25ca67357c037475d1c7793fc9a72568e853c989a5e77587f7f7a66bcc46c89f53e3629a507d537721c234866710cabb362b79da74a
-
SSDEEP
6144:5Bnuy0yPQ9aJbN6bWfO8hOXFI07pyDRAHUdTHyqiYBNBYd5PP2Tkc+:Ky0yPQ90bN6bkhI9W2rMNBYn2Ic+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
phduzwarfr.exepid process 832 phduzwarfr.exe -
Loads dropped DLL 2 IoCs
Processes:
clientIC.exepid process 1200 clientIC.exe 1200 clientIC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
clientIC.exedescription pid process target process PID 1200 wrote to memory of 832 1200 clientIC.exe phduzwarfr.exe PID 1200 wrote to memory of 832 1200 clientIC.exe phduzwarfr.exe PID 1200 wrote to memory of 832 1200 clientIC.exe phduzwarfr.exe PID 1200 wrote to memory of 832 1200 clientIC.exe phduzwarfr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\clientIC.exe"C:\Users\Admin\AppData\Local\Temp\clientIC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe"C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe" C:\Users\Admin\AppData\Local\Temp\zvqzaut.hws2⤵
- Executes dropped EXE
PID:832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exeFilesize
58KB
MD5b670630c7aa6f7e6951b5c76c744d4d9
SHA1de350e75c9bafcd96a7d1d7d903f5a93bd1feac9
SHA25629401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54
SHA512ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a
-
\Users\Admin\AppData\Local\Temp\phduzwarfr.exeFilesize
58KB
MD5b670630c7aa6f7e6951b5c76c744d4d9
SHA1de350e75c9bafcd96a7d1d7d903f5a93bd1feac9
SHA25629401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54
SHA512ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a
-
\Users\Admin\AppData\Local\Temp\phduzwarfr.exeFilesize
58KB
MD5b670630c7aa6f7e6951b5c76c744d4d9
SHA1de350e75c9bafcd96a7d1d7d903f5a93bd1feac9
SHA25629401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54
SHA512ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a
-
memory/832-57-0x0000000000000000-mapping.dmp
-
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB