Analysis
-
max time kernel
106s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
30-11-2022 19:31
General
-
Target
0a71d1bf605fb50be57e5b76b7914d0b158c618e6a42c1c571cafe489fdde16a.exe
-
Size
1.4MB
-
MD5
01fd884a92da62e9796257b889594709
-
SHA1
5c92e5d3d80c587a8db443947d79d327f44aa437
-
SHA256
0a71d1bf605fb50be57e5b76b7914d0b158c618e6a42c1c571cafe489fdde16a
-
SHA512
c1de8e07da62a813912a04bb9bf23f3abaeb7c3bfb095d3a57ae70c59853ae6911d564fca861a677fe200708c47aaaea4fd58453bb1cf05817d37c11e6abf889
-
SSDEEP
24576:Ab/JZbr1coVWDAc/HTvMsaFnLKBkwDJBR99RZ+yUDTVrhD85Oe4:a/JZbJIcLKBbJRZ+ZTVd85A
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a71d1bf605fb50be57e5b76b7914d0b158c618e6a42c1c571cafe489fdde16a.exe"C:\Users\Admin\AppData\Local\Temp\0a71d1bf605fb50be57e5b76b7914d0b158c618e6a42c1c571cafe489fdde16a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0a71d1bf605fb50be57e5b76b7914d0b158c618e6a42c1c571cafe489fdde16a.exe"C:\Users\Admin\AppData\Local\Temp\0a71d1bf605fb50be57e5b76b7914d0b158c618e6a42c1c571cafe489fdde16a.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0a71d1bf605fb50be57e5b76b7914d0b158c618e6a42c1c571cafe489fdde16a.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I85KP1CO.txtFilesize
531B
MD58b2171d9364222b3778ce98ab7f430fd
SHA1e2e1653683c51a55b48f992a8688f963ad6d4622
SHA2569f995ef09737e31fed30797317e23e02731d540ec16e214a65a367eb17488ac3
SHA5121cc0cbc6c3180728072b342ee834da28c46cfeccfd4a9005a2fc6b44aa29e9ef5f9ad28a9d5e4769aacdb87d7d0024283d959da29c987882419eb6a1a7673347
-
memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/2044-55-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2044-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2044-58-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2044-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2044-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2044-64-0x000000000040C4FE-mapping.dmp
-
memory/2044-66-0x0000000000402000-0x000000000040C600-memory.dmpFilesize
41KB