Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
Order Specications.exe
Resource
win7-20220901-en
General
-
Target
Order Specications.exe
-
Size
238KB
-
MD5
c72a49e97664c9b70f96c90495bd9224
-
SHA1
16ffe09a3e7376946751825dabd50534f7d2a3f2
-
SHA256
d4764983c36112e601465b868a7300521a22603ad82be39dc5f3a796dbafc1d3
-
SHA512
abbf1e9b8643889dd5115817dad630d3b7162c45d92a8fb43fa7221ce0107cf5e67908d64aaf78c2e4c84ec05077a10bf9f887e44a7a270caa5b99ba8d86c3a1
-
SSDEEP
6144:QBn1QmZY0qzXqPLoZiQpUNmkoRH9yrDwbP8EDHjd:gBZY0CDpUNm5dyvnk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vynlrafu.exepid process 900 vynlrafu.exe -
Loads dropped DLL 1 IoCs
Processes:
Order Specications.exepid process 2024 Order Specications.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Order Specications.exedescription pid process target process PID 2024 wrote to memory of 900 2024 Order Specications.exe vynlrafu.exe PID 2024 wrote to memory of 900 2024 Order Specications.exe vynlrafu.exe PID 2024 wrote to memory of 900 2024 Order Specications.exe vynlrafu.exe PID 2024 wrote to memory of 900 2024 Order Specications.exe vynlrafu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Specications.exe"C:\Users\Admin\AppData\Local\Temp\Order Specications.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe"C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe" C:\Users\Admin\AppData\Local\Temp\gmqmvhirk.scu2⤵
- Executes dropped EXE
PID:900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vynlrafu.exeFilesize
37KB
MD556b0afc73d669c9f01d559f5e5020c4a
SHA1ef30befa63ad63cfd0cb92fa6dd8198181cdb7b6
SHA2568e3a42a6113bc57ea15981b9f66ae4f0f4718e029ae5fb82ff6fc1db352e821d
SHA51251f02610e82fb74b5934f4ee6a3c0712823c028ed914ab71291aa4bbd256fb6e3e4d8c334691830e2ea168e4e992ee7029805532929c70c706350e97f0c50c14
-
\Users\Admin\AppData\Local\Temp\vynlrafu.exeFilesize
37KB
MD556b0afc73d669c9f01d559f5e5020c4a
SHA1ef30befa63ad63cfd0cb92fa6dd8198181cdb7b6
SHA2568e3a42a6113bc57ea15981b9f66ae4f0f4718e029ae5fb82ff6fc1db352e821d
SHA51251f02610e82fb74b5934f4ee6a3c0712823c028ed914ab71291aa4bbd256fb6e3e4d8c334691830e2ea168e4e992ee7029805532929c70c706350e97f0c50c14
-
memory/900-56-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB