cfee1cf081f586be0dca743b2fd2e38645e14d6e897c8726b0ea164709931e92

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clientIC.exe
Size

233KB
MD5

6748ab9c3f718189aa1942e6465c5de4
SHA1

872407ac71d607b1d02b1e116ce7c1a788078888
SHA256

d7cc0491b79a1024a4b9cdff777d016b9ccd6ecb7b335ccb54f61fea89e345cd
SHA512

90710bb4a02c94c9274aa25ca67357c037475d1c7793fc9a72568e853c989a5e77587f7f7a66bcc46c89f53e3629a507d537721c234866710cabb362b79da74a
SSDEEP

6144:5Bnuy0yPQ9aJbN6bWfO8hOXFI07pyDRAHUdTHyqiYBNBYd5PP2Tkc+:Ky0yPQ90bN6bkhI9W2rMNBYn2Ic+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

phduzwarfr.exe

pid process

832 phduzwarfr.exe
Loads dropped DLL 2 IoCs

Processes:

clientIC.exe

pid process

1200 clientIC.exe
1200 clientIC.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
832	phduzwarfr.exe

pid	process
1200	clientIC.exe
1200	clientIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

clientIC.exe

description	pid	process	target process
PID 1200 wrote to memory of 832	1200	clientIC.exe	phduzwarfr.exe
PID 1200 wrote to memory of 832	1200	clientIC.exe	phduzwarfr.exe
PID 1200 wrote to memory of 832	1200	clientIC.exe	phduzwarfr.exe
PID 1200 wrote to memory of 832	1200	clientIC.exe	phduzwarfr.exe

C:\Users\Admin\AppData\Local\Temp\clientIC.exe
"C:\Users\Admin\AppData\Local\Temp\clientIC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
"C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe" C:\Users\Admin\AppData\Local\Temp\zvqzaut.hws
2⤵
- Executes dropped EXE
PID:832

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
Filesize
58KB

MD5
b670630c7aa6f7e6951b5c76c744d4d9

SHA1
de350e75c9bafcd96a7d1d7d903f5a93bd1feac9

SHA256
29401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54

SHA512
ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a

Download Submit
\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
Filesize
58KB

MD5
b670630c7aa6f7e6951b5c76c744d4d9

SHA1
de350e75c9bafcd96a7d1d7d903f5a93bd1feac9

SHA256
29401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54

SHA512
ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a

Download Submit
\Users\Admin\AppData\Local\Temp\phduzwarfr.exe
Filesize
58KB

MD5
b670630c7aa6f7e6951b5c76c744d4d9

SHA1
de350e75c9bafcd96a7d1d7d903f5a93bd1feac9

SHA256
29401b58e8e60b9263f1cf414ceb9d86ba008228398d102c98d9adbd914afa54

SHA512
ec639fe440a1b005df43e0ded88ced0db1d8bc88a10a7c1d150658911a32233246969ad1b6819618d02a00883ac5c13405978d67674f6a662e540cd3a87d4d7a

Download Submit
memory/832-57-0x0000000000000000-mapping.dmp

Download
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download