1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c

Analysis

max time kernel
151s
max time network
177s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 18:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe
Size

572KB
MD5

2442f522c801886f498b3f0e615b5120
SHA1

708ecdff7207ddc7a4996078f84360d603a3d2e5
SHA256

1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c
SHA512

e6ddbb4c4b73c67e5a9fa12ab6396a560c1719eda9d1a92b9c9e3eceadf7ad988a7b29a11fdd5a9754830bf9f0f56e29ccf861b7c3008f657fbd87d638058398
SSDEEP

12288:qxBbOHsxOnvX5/qnGaNp1sx1lD9bQtEL7g3w0Xkehm:OSjnvJERBs9DBQIUv0eU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	winlog.exe

Deletes itself 1 IoCs

pid	Process
1240	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe
1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1696	1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe	28
PID 1900 wrote to memory of 1696	1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe	28
PID 1900 wrote to memory of 1696	1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe	28
PID 1900 wrote to memory of 1696	1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe	28
PID 1900 wrote to memory of 1240	1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe	29
PID 1900 wrote to memory of 1240	1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe	29
PID 1900 wrote to memory of 1240	1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe	29
PID 1900 wrote to memory of 1240	1900	1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe	29

C:\Users\Admin\AppData\Local\Temp\1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe
"C:\Users\Admin\AppData\Local\Temp\1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\winlog.exe
  "C:\Users\Admin\AppData\Local\winlog.exe"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\melt.bat" "
  2⤵
  - Deletes itself
  PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\melt.bat

Filesize
155B

MD5
49688dfab803dbdd21ca62ae2a55e299

SHA1
5ea6e9f426619a4672462040fed4b4254a69caf2

SHA256
57d50594ae35604907c47913aec29d7071acb33d81f6b81396d374bc2bd70eb1

SHA512
07aed19357c0f782f1e75232239384cedc41a8c2ae5f0f5ed7c7da3ce851ea58f576359d478a634f9f1f175e107806c354bd3f35a08a0734dc4ef21ede9a712e

Download Submit
C:\Users\Admin\AppData\Local\winlog.exe

Filesize
572KB

MD5
2442f522c801886f498b3f0e615b5120

SHA1
708ecdff7207ddc7a4996078f84360d603a3d2e5

SHA256
1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c

SHA512
e6ddbb4c4b73c67e5a9fa12ab6396a560c1719eda9d1a92b9c9e3eceadf7ad988a7b29a11fdd5a9754830bf9f0f56e29ccf861b7c3008f657fbd87d638058398

Download Submit
\Users\Admin\AppData\Local\winlog.exe

Filesize
572KB

MD5
2442f522c801886f498b3f0e615b5120

SHA1
708ecdff7207ddc7a4996078f84360d603a3d2e5

SHA256
1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c

SHA512
e6ddbb4c4b73c67e5a9fa12ab6396a560c1719eda9d1a92b9c9e3eceadf7ad988a7b29a11fdd5a9754830bf9f0f56e29ccf861b7c3008f657fbd87d638058398

Download Submit
\Users\Admin\AppData\Local\winlog.exe

Filesize
572KB

MD5
2442f522c801886f498b3f0e615b5120

SHA1
708ecdff7207ddc7a4996078f84360d603a3d2e5

SHA256
1f68b392ce342d0a8793a77788c1e314b2eff3e6e667b77005a5d110d59a5a9c

SHA512
e6ddbb4c4b73c67e5a9fa12ab6396a560c1719eda9d1a92b9c9e3eceadf7ad988a7b29a11fdd5a9754830bf9f0f56e29ccf861b7c3008f657fbd87d638058398

Download Submit
memory/1900-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download