b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2

Analysis

max time kernel
171s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
Size

560KB
MD5

cc097f39b5675b5170eeaefad2cdb6e5
SHA1

3e6c1af8b7e4df9ee7d90c399da221dbb8194be8
SHA256

b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2
SHA512

3295c6aa1416df26bd3cbf7e0c7a91146e73ac4e8459b102b4fcf6e606c524d4d961fdc25374ac20a4727ea72e1f15e07fd20145f5712af33c4654d77fa8b256
SSDEEP

12288:Y3nZMhJ+ubNJtqyk4YAY+hfOh43nofBD5qGhRDUOOxwROywrE2+:Y3nZqfbvtKfAThc43nYBD1DLTiEt

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1964	324ekdown.cam.com
1480	win.exe
1400	mshlp.exe
832	win32.exe

Loads dropped DLL 6 IoCs

pid	Process
860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
1964	324ekdown.cam.com
1480	win.exe
1480	win.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xvid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mshlp.exe"	win32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.cam	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.cam\ = "cam_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1324	AcroRd32.exe
1324	AcroRd32.exe
1324	AcroRd32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1052	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	27
PID 860 wrote to memory of 1052	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	27
PID 860 wrote to memory of 1052	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	27
PID 860 wrote to memory of 1052	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	27
PID 860 wrote to memory of 1052	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	27
PID 860 wrote to memory of 1052	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	27
PID 860 wrote to memory of 1052	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	27
PID 1052 wrote to memory of 1324	1052	rundll32.exe	28
PID 1052 wrote to memory of 1324	1052	rundll32.exe	28
PID 1052 wrote to memory of 1324	1052	rundll32.exe	28
PID 1052 wrote to memory of 1324	1052	rundll32.exe	28
PID 1052 wrote to memory of 1324	1052	rundll32.exe	28
PID 1052 wrote to memory of 1324	1052	rundll32.exe	28
PID 1052 wrote to memory of 1324	1052	rundll32.exe	28
PID 860 wrote to memory of 1964	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	30
PID 860 wrote to memory of 1964	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	30
PID 860 wrote to memory of 1964	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	30
PID 860 wrote to memory of 1964	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	30
PID 860 wrote to memory of 1964	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	30
PID 860 wrote to memory of 1964	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	30
PID 860 wrote to memory of 1964	860	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	30
PID 1964 wrote to memory of 1480	1964	324ekdown.cam.com	31
PID 1964 wrote to memory of 1480	1964	324ekdown.cam.com	31
PID 1964 wrote to memory of 1480	1964	324ekdown.cam.com	31
PID 1964 wrote to memory of 1480	1964	324ekdown.cam.com	31
PID 1964 wrote to memory of 1480	1964	324ekdown.cam.com	31
PID 1964 wrote to memory of 1480	1964	324ekdown.cam.com	31
PID 1964 wrote to memory of 1480	1964	324ekdown.cam.com	31
PID 1480 wrote to memory of 1400	1480	win.exe	32
PID 1480 wrote to memory of 1400	1480	win.exe	32
PID 1480 wrote to memory of 1400	1480	win.exe	32
PID 1480 wrote to memory of 1400	1480	win.exe	32
PID 1480 wrote to memory of 1400	1480	win.exe	32
PID 1480 wrote to memory of 1400	1480	win.exe	32
PID 1480 wrote to memory of 1400	1480	win.exe	32
PID 1480 wrote to memory of 832	1480	win.exe	33
PID 1480 wrote to memory of 832	1480	win.exe	33
PID 1480 wrote to memory of 832	1480	win.exe	33
PID 1480 wrote to memory of 832	1480	win.exe	33
PID 1480 wrote to memory of 832	1480	win.exe	33
PID 1480 wrote to memory of 832	1480	win.exe	33
PID 1480 wrote to memory of 832	1480	win.exe	33

C:\Users\Admin\AppData\Local\Temp\b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
"C:\Users\Admin\AppData\Local\Temp\b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\lol.cam
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\lol.cam"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com
  "C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\win.exe
    "C:\Users\Admin\AppData\Local\Temp\win.exe" -p321
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\mshlp.exe
      "C:\Users\Admin\AppData\Local\Temp\mshlp.exe"
      4⤵
      Executes dropped EXE
      PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\win32.exe
      "C:\Users\Admin\AppData\Local\Temp\win32.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com

Filesize
188KB

MD5
60c022a79dec56847260749dbdb84643

SHA1
978153c84603a4826c292b6af7fdb023b218d9fd

SHA256
2966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909

SHA512
4a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com

Filesize
188KB

MD5
60c022a79dec56847260749dbdb84643

SHA1
978153c84603a4826c292b6af7fdb023b218d9fd

SHA256
2966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909

SHA512
4a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lol.cam

Filesize
318KB

MD5
ebf41e3803a59d2bba3e28dfe9b306ec

SHA1
02d014ba6d7f3b0b97f6f59d9ba3b04a9488164a

SHA256
5a3688cc19f417b518e74b44d91366ceb2104e49f1c093d2b79ee4e1792b3e2f

SHA512
d56c13e3a1f69c75d7fa89ec64d29a7e999ea5e90228cefa298d782adedf7235896c6e6b4af303229a3f94159823c5f73007483fa27ef1e4b60dbdb1d6a1675b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mshlp.exe

Filesize
49KB

MD5
2afd69b56cf24e5b216e640a979497ee

SHA1
5db3fcba21bbfc45581d09936da33bfce2dcc675

SHA256
81962b9df59eb588973d2888de11cf410f60d7e6e65e5c77b36dd28690fef522

SHA512
cd1139f47d935330abcb2f6402f948d26d6bc94962c0b1a7b9ac5466b6fe8847861d0f7b358f6e2cf7e91bc061e66a9ee795a2c62059b87552106b4bff78ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.exe

Filesize
139KB

MD5
dee240d01db48ec0704a4520695db7a9

SHA1
2046c4b30c73734920d10416457594f72c1e2dac

SHA256
dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a

SHA512
c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.exe

Filesize
139KB

MD5
dee240d01db48ec0704a4520695db7a9

SHA1
2046c4b30c73734920d10416457594f72c1e2dac

SHA256
dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a

SHA512
c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99

Download Submit
C:\Users\Admin\AppData\Local\Temp\win32.exe

Filesize
48KB

MD5
ab4ee7911f9c760f4155956a2b4378f4

SHA1
4faae72c80e41f972a39a712dd18c508510868a9

SHA256
e54855dc2a6a284040dd44056b112b081b699d33689c16c03058b940f2432e8b

SHA512
28da7353710363408773ff9a6d7850511d0f5d8443bd9b10f51e989ffd46070527e690a6beaa62f0d2e775896d29cd39808022b9b05415452b134a26c33107e9

Download Submit
\Users\Admin\AppData\Local\Temp\324ekdown.cam.com

Filesize
188KB

MD5
60c022a79dec56847260749dbdb84643

SHA1
978153c84603a4826c292b6af7fdb023b218d9fd

SHA256
2966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909

SHA512
4a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7

Download Submit
\Users\Admin\AppData\Local\Temp\324ekdown.cam.com

Filesize
188KB

MD5
60c022a79dec56847260749dbdb84643

SHA1
978153c84603a4826c292b6af7fdb023b218d9fd

SHA256
2966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909

SHA512
4a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7

Download Submit
\Users\Admin\AppData\Local\Temp\324ekdown.cam.com

Filesize
188KB

MD5
60c022a79dec56847260749dbdb84643

SHA1
978153c84603a4826c292b6af7fdb023b218d9fd

SHA256
2966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909

SHA512
4a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7

Download Submit
\Users\Admin\AppData\Local\Temp\mshlp.exe

Filesize
49KB

MD5
2afd69b56cf24e5b216e640a979497ee

SHA1
5db3fcba21bbfc45581d09936da33bfce2dcc675

SHA256
81962b9df59eb588973d2888de11cf410f60d7e6e65e5c77b36dd28690fef522

SHA512
cd1139f47d935330abcb2f6402f948d26d6bc94962c0b1a7b9ac5466b6fe8847861d0f7b358f6e2cf7e91bc061e66a9ee795a2c62059b87552106b4bff78ab81

Download Submit
\Users\Admin\AppData\Local\Temp\win.exe

Filesize
139KB

MD5
dee240d01db48ec0704a4520695db7a9

SHA1
2046c4b30c73734920d10416457594f72c1e2dac

SHA256
dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a

SHA512
c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99

Download Submit
\Users\Admin\AppData\Local\Temp\win32.exe

Filesize
48KB

MD5
ab4ee7911f9c760f4155956a2b4378f4

SHA1
4faae72c80e41f972a39a712dd18c508510868a9

SHA256
e54855dc2a6a284040dd44056b112b081b699d33689c16c03058b940f2432e8b

SHA512
28da7353710363408773ff9a6d7850511d0f5d8443bd9b10f51e989ffd46070527e690a6beaa62f0d2e775896d29cd39808022b9b05415452b134a26c33107e9

Download Submit
memory/860-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download