Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 22:32

General

  • Target

    dd6bc7d187cff1e2bda79ed44a68583a7e2df837891aa41cbbc98ccf3ad37ea9.exe

  • Size

    232KB

  • MD5

    634b19d6ce073a71634c83691d0e8a5e

  • SHA1

    15e5eea84cd5db35adbea33e4958b6cb10d16c1e

  • SHA256

    dd6bc7d187cff1e2bda79ed44a68583a7e2df837891aa41cbbc98ccf3ad37ea9

  • SHA512

    38f2cdee9bb62a05df93e7ec23fb2360291e99d47f625f81b533aca3348b64e85dc922873681b0df0d9e61f825cdcf4c67a21813cf033673771bb29d934c3af1

  • SSDEEP

    6144:R3PFKs7diixRSFBfWEqxF6snji81RUinK51jbkxkubS0:dPhJuBXVbkxJb1

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd6bc7d187cff1e2bda79ed44a68583a7e2df837891aa41cbbc98ccf3ad37ea9.exe
    "C:\Users\Admin\AppData\Local\Temp\dd6bc7d187cff1e2bda79ed44a68583a7e2df837891aa41cbbc98ccf3ad37ea9.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\vgrioh.exe
      "C:\Users\Admin\vgrioh.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1772

Network

  • flag-unknown
    DNS
    ns1.musiczipz.com
    dd6bc7d187cff1e2bda79ed44a68583a7e2df837891aa41cbbc98ccf3ad37ea9.exe
    Remote address:
    8.8.8.8:53
    Request
    ns1.musiczipz.com
    IN A
    Response
    ns1.musiczipz.com
    IN A
    81.17.29.150
  • 81.17.29.150:8000
    ns1.musiczipz.com
    dd6bc7d187cff1e2bda79ed44a68583a7e2df837891aa41cbbc98ccf3ad37ea9.exe
    152 B
    3
  • 8.8.8.8:53
    ns1.musiczipz.com
    dns
    dd6bc7d187cff1e2bda79ed44a68583a7e2df837891aa41cbbc98ccf3ad37ea9.exe
    63 B
    79 B
    1
    1

    DNS Request

    ns1.musiczipz.com

    DNS Response

    81.17.29.150

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\vgrioh.exe

    Filesize

    232KB

    MD5

    a08f37daffb57d03f4e6fc6fd07a954b

    SHA1

    37f0ba3c3379855aff8fb0e037ff0d95d49fc9c3

    SHA256

    9c9103f1161718b293a7f74dc47d7e896acab796cc212e6e4db853e44421eaef

    SHA512

    49032797ac26e928678b696dc4f9cf9f91d48e6e40476cb91650938769e601ae06e83a318c3a620c5f48cebd716d1a71c705dc41321320308480fec4d4ab890d

  • C:\Users\Admin\vgrioh.exe

    Filesize

    232KB

    MD5

    a08f37daffb57d03f4e6fc6fd07a954b

    SHA1

    37f0ba3c3379855aff8fb0e037ff0d95d49fc9c3

    SHA256

    9c9103f1161718b293a7f74dc47d7e896acab796cc212e6e4db853e44421eaef

    SHA512

    49032797ac26e928678b696dc4f9cf9f91d48e6e40476cb91650938769e601ae06e83a318c3a620c5f48cebd716d1a71c705dc41321320308480fec4d4ab890d

  • \Users\Admin\vgrioh.exe

    Filesize

    232KB

    MD5

    a08f37daffb57d03f4e6fc6fd07a954b

    SHA1

    37f0ba3c3379855aff8fb0e037ff0d95d49fc9c3

    SHA256

    9c9103f1161718b293a7f74dc47d7e896acab796cc212e6e4db853e44421eaef

    SHA512

    49032797ac26e928678b696dc4f9cf9f91d48e6e40476cb91650938769e601ae06e83a318c3a620c5f48cebd716d1a71c705dc41321320308480fec4d4ab890d

  • \Users\Admin\vgrioh.exe

    Filesize

    232KB

    MD5

    a08f37daffb57d03f4e6fc6fd07a954b

    SHA1

    37f0ba3c3379855aff8fb0e037ff0d95d49fc9c3

    SHA256

    9c9103f1161718b293a7f74dc47d7e896acab796cc212e6e4db853e44421eaef

    SHA512

    49032797ac26e928678b696dc4f9cf9f91d48e6e40476cb91650938769e601ae06e83a318c3a620c5f48cebd716d1a71c705dc41321320308480fec4d4ab890d

  • memory/1772-59-0x0000000000000000-mapping.dmp

  • memory/1980-56-0x0000000075981000-0x0000000075983000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.