1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab

Analysis

max time kernel
126s
max time network
121s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
Size

92KB
MD5

6c86db7e1548a489815b4e7a1f4dea55
SHA1

15781320685a8375f18745841f47bff8993181c9
SHA256

1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab
SHA512

c00f3235befb704a8dfa4e35ecd601cd6e6b6d4d2188e7bb36301f5ce753a8e280d17b09fc09328314736f080d12764804f3ddc15b0814c89e06059ceb18ea5e
SSDEEP

1536:K3ICjeh1JHsrll4ldQwEVtzq7YWVuYwO/1a4o2faHc3u:KjEJMBlCdQXtu7YiuYwO/1a4o2fMyu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1956	Explorer.exe
1292	explorer.exe

Deletes itself 1 IoCs

pid	Process
1956	Explorer.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Yhaecn\Path.rcd	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
File created	C:\Program Files (x86)\Axefeu Gxx\Explorer.exe	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
File opened for modification	C:\Program Files (x86)\Axefeu Gxx\Explorer.exe	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
File opened for modification	C:\Program Files (x86)\Yhaecn\28785	Explorer.exe
File opened for modification	C:\Program Files (x86)\Yhaecn\30527	Explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1956	Explorer.exe
1956	Explorer.exe
1956	Explorer.exe
1956	Explorer.exe
1956	Explorer.exe
1956	Explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1956	1148	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe	27
PID 1148 wrote to memory of 1956	1148	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe	27
PID 1148 wrote to memory of 1956	1148	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe	27
PID 1148 wrote to memory of 1956	1148	1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe	27
PID 1956 wrote to memory of 1292	1956	Explorer.exe	28
PID 1956 wrote to memory of 1292	1956	Explorer.exe	28
PID 1956 wrote to memory of 1292	1956	Explorer.exe	28
PID 1956 wrote to memory of 1292	1956	Explorer.exe	28

C:\Users\Admin\AppData\Local\Temp\1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe
"C:\Users\Admin\AppData\Local\Temp\1aeff00519ffe8d37b5418ff28ffdf55fa6b892114fbf993eea2d51faca958ab.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files (x86)\Axefeu Gxx\Explorer.exe
  FI
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Program Files (x86)\Axefeu Gxx\explorer.exe
    explorer.exe
    3⤵
    - Executes dropped EXE
    PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Axefeu Gxx\Explorer.exe

Filesize
16.5MB

MD5
f1c6421fc9f65a195ad0d852c0b91b62

SHA1
e7a0943cd23bfba5c6e36e51a4fb840b92917f4a

SHA256
78a54d33c911b5b30db2e989cc262d82ff267bd3a60d456fcfb42a25d94a72cd

SHA512
2613f28e1ceebb5428917b939280c9cd35bd9f6ac855d293dd887a96bf7960aa670dc96031d9bec9713c88dcbfe06667b1bbfcfb2443030421378fdea906de58

Download Submit
C:\Program Files (x86)\Axefeu Gxx\Explorer.exe

Filesize
16.5MB

MD5
f1c6421fc9f65a195ad0d852c0b91b62

SHA1
e7a0943cd23bfba5c6e36e51a4fb840b92917f4a

SHA256
78a54d33c911b5b30db2e989cc262d82ff267bd3a60d456fcfb42a25d94a72cd

SHA512
2613f28e1ceebb5428917b939280c9cd35bd9f6ac855d293dd887a96bf7960aa670dc96031d9bec9713c88dcbfe06667b1bbfcfb2443030421378fdea906de58

Download Submit
C:\Program Files (x86)\Yhaecn\Path.rcd

Filesize
260B

MD5
0c9c39c0a3cf6467e26c8e7fc106f99d

SHA1
15c2229c2b735be768b59bdb21d80058ebb9d1f0

SHA256
f1bab7f791dbf850c54e75857d677bf71a799e8d1e4c14a69dd07e394a85d2d9

SHA512
067b7133864fd5bb6761c20798edad4c37a183fd53cbe4ea05d1f4c4b07d42546b35d534bc584e94544b26baf2f385ae5de6a6f4059fd653bed16fcae3264c22

Download Submit
\Program Files (x86)\Axefeu Gxx\Explorer.exe

Filesize
16.5MB

MD5
f1c6421fc9f65a195ad0d852c0b91b62

SHA1
e7a0943cd23bfba5c6e36e51a4fb840b92917f4a

SHA256
78a54d33c911b5b30db2e989cc262d82ff267bd3a60d456fcfb42a25d94a72cd

SHA512
2613f28e1ceebb5428917b939280c9cd35bd9f6ac855d293dd887a96bf7960aa670dc96031d9bec9713c88dcbfe06667b1bbfcfb2443030421378fdea906de58

Download Submit
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1956-63-0x0000000074051000-0x0000000074053000-memory.dmp

Filesize
8KB

Download