1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e

Analysis

max time kernel
79s
max time network
55s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Size

3.1MB
MD5

6460c9956bd90b9fc83d318aac0c72f7
SHA1

130d7cd6d44234a2c8b78bb10a592539ecae0703
SHA256

1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e
SHA512

d33c712830bd31d16eb7aba30eaf331cef6ac6a5b06c5be0180411caa5828e147db8379991431cb2098ee5ff00437cc2c7e333930df215b2856d5b30da768603
SSDEEP

49152:T0T9a9PH8kmpnUYBTGpax+5jrdewURNGzGo5KG+jLcasY6DwOBfrnvV7UeWtPNZ:TQofrJuTGKnwURNGUnjQYiwOBpIeWHZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1320	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Loads dropped DLL 2 IoCs

pid	Process
684	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
1320	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1320	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1320	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1320	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
1320	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 1320	684	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe	27
PID 684 wrote to memory of 1320	684	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe	27
PID 684 wrote to memory of 1320	684	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe	27
PID 684 wrote to memory of 1320	684	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe	27

C:\Users\Admin\AppData\Local\Temp\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
"C:\Users\Admin\AppData\Local\Temp\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
  "C:\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Filesize
3.0MB

MD5
7d590bccd10a91278a1d0c1db1e6886f

SHA1
b95b286fa7ba1457bb7a93b06761177e84b0c8e2

SHA256
cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155

SHA512
00a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Filesize
3.0MB

MD5
7d590bccd10a91278a1d0c1db1e6886f

SHA1
b95b286fa7ba1457bb7a93b06761177e84b0c8e2

SHA256
cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155

SHA512
00a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9

Download Submit
\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Filesize
3.0MB

MD5
7d590bccd10a91278a1d0c1db1e6886f

SHA1
b95b286fa7ba1457bb7a93b06761177e84b0c8e2

SHA256
cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155

SHA512
00a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9

Download Submit
\Users\Admin\AppData\Local\Temp\4wz3ezdd.kn0\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
memory/684-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/684-59-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-79-0x0000000064E70000-0x0000000065142000-memory.dmp

Filesize
2.8MB

Download
memory/1320-83-0x0000000074CD0000-0x0000000074D5F000-memory.dmp

Filesize
572KB

Download
memory/1320-64-0x0000000076170000-0x000000007621C000-memory.dmp

Filesize
688KB

Download
memory/1320-65-0x0000000076100000-0x0000000076147000-memory.dmp

Filesize
284KB

Download
memory/1320-66-0x0000000074E50000-0x0000000074EA7000-memory.dmp

Filesize
348KB

Download
memory/1320-67-0x00000000747C0000-0x00000000747C9000-memory.dmp

Filesize
36KB

Download
memory/1320-68-0x00000000739C0000-0x0000000073F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-70-0x00000000012A0000-0x0000000001390000-memory.dmp

Filesize
960KB

Download
memory/1320-71-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/1320-72-0x0000000076100000-0x0000000076147000-memory.dmp

Filesize
284KB

Download
memory/1320-73-0x00000000739C0000-0x0000000073F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-69-0x0000000075070000-0x0000000075CBA000-memory.dmp

Filesize
12.3MB

Download
memory/1320-75-0x0000000075CC0000-0x0000000075E1C000-memory.dmp

Filesize
1.4MB

Download
memory/1320-76-0x0000000074630000-0x000000007468B000-memory.dmp

Filesize
364KB

Download
memory/1320-77-0x0000000076300000-0x0000000076335000-memory.dmp

Filesize
212KB

Download
memory/1320-78-0x0000000076590000-0x00000000766AD000-memory.dmp

Filesize
1.1MB

Download
memory/1320-61-0x0000000074850000-0x000000007489A000-memory.dmp

Filesize
296KB

Download
memory/1320-82-0x0000000060340000-0x0000000060348000-memory.dmp

Filesize
32KB

Download
memory/1320-62-0x00000000012A0000-0x0000000001390000-memory.dmp

Filesize
960KB

Download
memory/1320-85-0x0000000073790000-0x00000000737A5000-memory.dmp

Filesize
84KB

Download
memory/1320-86-0x00000000737B0000-0x0000000073802000-memory.dmp

Filesize
328KB

Download
memory/1320-88-0x0000000076150000-0x0000000076169000-memory.dmp

Filesize
100KB

Download
memory/1320-89-0x0000000073680000-0x00000000736CF000-memory.dmp

Filesize
316KB

Download
memory/1320-90-0x00000000736D0000-0x0000000073728000-memory.dmp

Filesize
352KB

Download
memory/1320-91-0x0000000073490000-0x00000000734AC000-memory.dmp

Filesize
112KB

Download
memory/1320-92-0x00000000749F0000-0x00000000749FC000-memory.dmp

Filesize
48KB

Download
memory/1320-94-0x0000000075E20000-0x0000000075E47000-memory.dmp

Filesize
156KB

Download
memory/1320-95-0x0000000076150000-0x0000000076169000-memory.dmp

Filesize
100KB

Download
memory/1320-96-0x00000000012A0000-0x0000000001390000-memory.dmp

Filesize
960KB

Download
memory/1320-97-0x0000000076100000-0x0000000076147000-memory.dmp

Filesize
284KB

Download
memory/1320-98-0x00000000739C0000-0x0000000073F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-99-0x0000000060340000-0x0000000060348000-memory.dmp

Filesize
32KB

Download
memory/1320-100-0x0000000072AC0000-0x0000000072C50000-memory.dmp

Filesize
1.6MB

Download
memory/1320-101-0x000000006FB50000-0x000000006FBAF000-memory.dmp

Filesize
380KB

Download
memory/1320-102-0x0000000073400000-0x0000000073413000-memory.dmp

Filesize
76KB

Download
memory/1320-103-0x000000000107A000-0x000000000108B000-memory.dmp

Filesize
68KB

Download
memory/1320-104-0x000000000107A000-0x000000000108B000-memory.dmp

Filesize
68KB

Download