Analysis
-
max time kernel
171s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/12/2022, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
Resource
win10v2004-20220901-en
General
-
Target
b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
-
Size
560KB
-
MD5
cc097f39b5675b5170eeaefad2cdb6e5
-
SHA1
3e6c1af8b7e4df9ee7d90c399da221dbb8194be8
-
SHA256
b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2
-
SHA512
3295c6aa1416df26bd3cbf7e0c7a91146e73ac4e8459b102b4fcf6e606c524d4d961fdc25374ac20a4727ea72e1f15e07fd20145f5712af33c4654d77fa8b256
-
SSDEEP
12288:Y3nZMhJ+ubNJtqyk4YAY+hfOh43nofBD5qGhRDUOOxwROywrE2+:Y3nZqfbvtKfAThc43nYBD1DLTiEt
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1964 324ekdown.cam.com 1480 win.exe 1400 mshlp.exe 832 win32.exe -
Loads dropped DLL 6 IoCs
pid Process 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 1964 324ekdown.cam.com 1480 win.exe 1480 win.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xvid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mshlp.exe" win32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.cam rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.cam\ = "cam_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\cam_auto_file rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1324 AcroRd32.exe 1324 AcroRd32.exe 1324 AcroRd32.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 860 wrote to memory of 1052 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 27 PID 860 wrote to memory of 1052 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 27 PID 860 wrote to memory of 1052 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 27 PID 860 wrote to memory of 1052 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 27 PID 860 wrote to memory of 1052 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 27 PID 860 wrote to memory of 1052 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 27 PID 860 wrote to memory of 1052 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 27 PID 1052 wrote to memory of 1324 1052 rundll32.exe 28 PID 1052 wrote to memory of 1324 1052 rundll32.exe 28 PID 1052 wrote to memory of 1324 1052 rundll32.exe 28 PID 1052 wrote to memory of 1324 1052 rundll32.exe 28 PID 1052 wrote to memory of 1324 1052 rundll32.exe 28 PID 1052 wrote to memory of 1324 1052 rundll32.exe 28 PID 1052 wrote to memory of 1324 1052 rundll32.exe 28 PID 860 wrote to memory of 1964 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 30 PID 860 wrote to memory of 1964 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 30 PID 860 wrote to memory of 1964 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 30 PID 860 wrote to memory of 1964 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 30 PID 860 wrote to memory of 1964 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 30 PID 860 wrote to memory of 1964 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 30 PID 860 wrote to memory of 1964 860 b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe 30 PID 1964 wrote to memory of 1480 1964 324ekdown.cam.com 31 PID 1964 wrote to memory of 1480 1964 324ekdown.cam.com 31 PID 1964 wrote to memory of 1480 1964 324ekdown.cam.com 31 PID 1964 wrote to memory of 1480 1964 324ekdown.cam.com 31 PID 1964 wrote to memory of 1480 1964 324ekdown.cam.com 31 PID 1964 wrote to memory of 1480 1964 324ekdown.cam.com 31 PID 1964 wrote to memory of 1480 1964 324ekdown.cam.com 31 PID 1480 wrote to memory of 1400 1480 win.exe 32 PID 1480 wrote to memory of 1400 1480 win.exe 32 PID 1480 wrote to memory of 1400 1480 win.exe 32 PID 1480 wrote to memory of 1400 1480 win.exe 32 PID 1480 wrote to memory of 1400 1480 win.exe 32 PID 1480 wrote to memory of 1400 1480 win.exe 32 PID 1480 wrote to memory of 1400 1480 win.exe 32 PID 1480 wrote to memory of 832 1480 win.exe 33 PID 1480 wrote to memory of 832 1480 win.exe 33 PID 1480 wrote to memory of 832 1480 win.exe 33 PID 1480 wrote to memory of 832 1480 win.exe 33 PID 1480 wrote to memory of 832 1480 win.exe 33 PID 1480 wrote to memory of 832 1480 win.exe 33 PID 1480 wrote to memory of 832 1480 win.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe"C:\Users\Admin\AppData\Local\Temp\b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\lol.cam2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\lol.cam"3⤵
- Suspicious use of SetWindowsHookEx
PID:1324
-
-
-
C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com"C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\win.exe"C:\Users\Admin\AppData\Local\Temp\win.exe" -p3213⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\mshlp.exe"C:\Users\Admin\AppData\Local\Temp\mshlp.exe"4⤵
- Executes dropped EXE
PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\win32.exe"C:\Users\Admin\AppData\Local\Temp\win32.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:832
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD560c022a79dec56847260749dbdb84643
SHA1978153c84603a4826c292b6af7fdb023b218d9fd
SHA2562966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909
SHA5124a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7
-
Filesize
188KB
MD560c022a79dec56847260749dbdb84643
SHA1978153c84603a4826c292b6af7fdb023b218d9fd
SHA2562966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909
SHA5124a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7
-
Filesize
318KB
MD5ebf41e3803a59d2bba3e28dfe9b306ec
SHA102d014ba6d7f3b0b97f6f59d9ba3b04a9488164a
SHA2565a3688cc19f417b518e74b44d91366ceb2104e49f1c093d2b79ee4e1792b3e2f
SHA512d56c13e3a1f69c75d7fa89ec64d29a7e999ea5e90228cefa298d782adedf7235896c6e6b4af303229a3f94159823c5f73007483fa27ef1e4b60dbdb1d6a1675b
-
Filesize
49KB
MD52afd69b56cf24e5b216e640a979497ee
SHA15db3fcba21bbfc45581d09936da33bfce2dcc675
SHA25681962b9df59eb588973d2888de11cf410f60d7e6e65e5c77b36dd28690fef522
SHA512cd1139f47d935330abcb2f6402f948d26d6bc94962c0b1a7b9ac5466b6fe8847861d0f7b358f6e2cf7e91bc061e66a9ee795a2c62059b87552106b4bff78ab81
-
Filesize
139KB
MD5dee240d01db48ec0704a4520695db7a9
SHA12046c4b30c73734920d10416457594f72c1e2dac
SHA256dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a
SHA512c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99
-
Filesize
139KB
MD5dee240d01db48ec0704a4520695db7a9
SHA12046c4b30c73734920d10416457594f72c1e2dac
SHA256dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a
SHA512c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99
-
Filesize
48KB
MD5ab4ee7911f9c760f4155956a2b4378f4
SHA14faae72c80e41f972a39a712dd18c508510868a9
SHA256e54855dc2a6a284040dd44056b112b081b699d33689c16c03058b940f2432e8b
SHA51228da7353710363408773ff9a6d7850511d0f5d8443bd9b10f51e989ffd46070527e690a6beaa62f0d2e775896d29cd39808022b9b05415452b134a26c33107e9
-
Filesize
188KB
MD560c022a79dec56847260749dbdb84643
SHA1978153c84603a4826c292b6af7fdb023b218d9fd
SHA2562966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909
SHA5124a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7
-
Filesize
188KB
MD560c022a79dec56847260749dbdb84643
SHA1978153c84603a4826c292b6af7fdb023b218d9fd
SHA2562966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909
SHA5124a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7
-
Filesize
188KB
MD560c022a79dec56847260749dbdb84643
SHA1978153c84603a4826c292b6af7fdb023b218d9fd
SHA2562966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909
SHA5124a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7
-
Filesize
49KB
MD52afd69b56cf24e5b216e640a979497ee
SHA15db3fcba21bbfc45581d09936da33bfce2dcc675
SHA25681962b9df59eb588973d2888de11cf410f60d7e6e65e5c77b36dd28690fef522
SHA512cd1139f47d935330abcb2f6402f948d26d6bc94962c0b1a7b9ac5466b6fe8847861d0f7b358f6e2cf7e91bc061e66a9ee795a2c62059b87552106b4bff78ab81
-
Filesize
139KB
MD5dee240d01db48ec0704a4520695db7a9
SHA12046c4b30c73734920d10416457594f72c1e2dac
SHA256dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a
SHA512c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99
-
Filesize
48KB
MD5ab4ee7911f9c760f4155956a2b4378f4
SHA14faae72c80e41f972a39a712dd18c508510868a9
SHA256e54855dc2a6a284040dd44056b112b081b699d33689c16c03058b940f2432e8b
SHA51228da7353710363408773ff9a6d7850511d0f5d8443bd9b10f51e989ffd46070527e690a6beaa62f0d2e775896d29cd39808022b9b05415452b134a26c33107e9