d4764983c36112e601465b868a7300521a22603ad82be39dc5f3a796dbafc1d3

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Specications.exe
Size

238KB
MD5

c72a49e97664c9b70f96c90495bd9224
SHA1

16ffe09a3e7376946751825dabd50534f7d2a3f2
SHA256

d4764983c36112e601465b868a7300521a22603ad82be39dc5f3a796dbafc1d3
SHA512

abbf1e9b8643889dd5115817dad630d3b7162c45d92a8fb43fa7221ce0107cf5e67908d64aaf78c2e4c84ec05077a10bf9f887e44a7a270caa5b99ba8d86c3a1
SSDEEP

6144:QBn1QmZY0qzXqPLoZiQpUNmkoRH9yrDwbP8EDHjd:gBZY0CDpUNm5dyvnk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vynlrafu.exe

pid process

900 vynlrafu.exe
Loads dropped DLL 1 IoCs

Processes:

Order Specications.exe

pid process

2024 Order Specications.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
900	vynlrafu.exe

pid	process
2024	Order Specications.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Order Specications.exe

description	pid	process	target process
PID 2024 wrote to memory of 900	2024	Order Specications.exe	vynlrafu.exe
PID 2024 wrote to memory of 900	2024	Order Specications.exe	vynlrafu.exe
PID 2024 wrote to memory of 900	2024	Order Specications.exe	vynlrafu.exe
PID 2024 wrote to memory of 900	2024	Order Specications.exe	vynlrafu.exe

C:\Users\Admin\AppData\Local\Temp\Order Specications.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specications.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe
"C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe" C:\Users\Admin\AppData\Local\Temp\gmqmvhirk.scu
2⤵
- Executes dropped EXE
PID:900

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe
Filesize
37KB

MD5
56b0afc73d669c9f01d559f5e5020c4a

SHA1
ef30befa63ad63cfd0cb92fa6dd8198181cdb7b6

SHA256
8e3a42a6113bc57ea15981b9f66ae4f0f4718e029ae5fb82ff6fc1db352e821d

SHA512
51f02610e82fb74b5934f4ee6a3c0712823c028ed914ab71291aa4bbd256fb6e3e4d8c334691830e2ea168e4e992ee7029805532929c70c706350e97f0c50c14

Download Submit
\Users\Admin\AppData\Local\Temp\vynlrafu.exe
Filesize
37KB

MD5
56b0afc73d669c9f01d559f5e5020c4a

SHA1
ef30befa63ad63cfd0cb92fa6dd8198181cdb7b6

SHA256
8e3a42a6113bc57ea15981b9f66ae4f0f4718e029ae5fb82ff6fc1db352e821d

SHA512
51f02610e82fb74b5934f4ee6a3c0712823c028ed914ab71291aa4bbd256fb6e3e4d8c334691830e2ea168e4e992ee7029805532929c70c706350e97f0c50c14

Download Submit
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download