dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f

Analysis

max time kernel
148s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe
Size

361KB
MD5

4a6e5a3cfa62cf5d859b4cae7514adbf
SHA1

dfb7e6ca26a693063e0f63e0b4e3aaa8cc94c9b2
SHA256

dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f
SHA512

fab40c080c26e9fba646d55c157dc036975af3b7208ed139fc19cbd815fbf2464d22a822293c101cd30447ec6d35342872c36766791b51a5b88f41c442669ea6
SSDEEP

6144:ydERK1PNN3sW3Ca+7WkSdskgaIwV9ARnDiHFY6u8F4hZ2FzvlXyoC+UMR9hHf0E0:TRK8WrgSdsklT6RiHF1rFFvlXyoXdR/a

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1588	s1v4..exe
1760	s1v4.1.exe
952	s1n0..exe
1524	s1hk.1.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-55-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-56.dat	upx
behavioral1/files/0x0007000000005c50-57.dat	upx
behavioral1/files/0x0007000000005c50-59.dat	upx
behavioral1/files/0x0007000000005c50-61.dat	upx
behavioral1/files/0x000900000001429e-63.dat	upx
behavioral1/files/0x000900000001429e-62.dat	upx
behavioral1/files/0x000900000001429e-65.dat	upx
behavioral1/files/0x000900000001429e-67.dat	upx
behavioral1/memory/1760-75-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/files/0x000700000001446b-80.dat	upx
behavioral1/files/0x000700000001446b-82.dat	upx
behavioral1/files/0x000700000001446b-79.dat	upx
behavioral1/files/0x000700000001446b-84.dat	upx
behavioral1/memory/1524-86-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1524-87-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2020-88-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1760-89-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe
2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe
2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe
2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe
1760	s1v4.1.exe
1760	s1v4.1.exe
1588	s1v4..exe
1588	s1v4..exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	s1hk.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\"	s1hk.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ckmgr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\ckmgr.exe"	s1n0..exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\"	s1hk.1.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	s1hk.1.exe
File opened (read-only)	\??\z:	s1hk.1.exe
File opened (read-only)	\??\b:	s1hk.1.exe
File opened (read-only)	\??\h:	s1hk.1.exe
File opened (read-only)	\??\l:	s1hk.1.exe
File opened (read-only)	\??\o:	s1hk.1.exe
File opened (read-only)	\??\r:	s1hk.1.exe
File opened (read-only)	\??\u:	s1hk.1.exe
File opened (read-only)	\??\i:	s1hk.1.exe
File opened (read-only)	\??\n:	s1hk.1.exe
File opened (read-only)	\??\p:	s1hk.1.exe
File opened (read-only)	\??\t:	s1hk.1.exe
File opened (read-only)	\??\m:	s1hk.1.exe
File opened (read-only)	\??\s:	s1hk.1.exe
File opened (read-only)	\??\v:	s1hk.1.exe
File opened (read-only)	\??\w:	s1hk.1.exe
File opened (read-only)	\??\q:	s1hk.1.exe
File opened (read-only)	\??\y:	s1hk.1.exe
File opened (read-only)	\??\a:	s1hk.1.exe
File opened (read-only)	\??\f:	s1hk.1.exe
File opened (read-only)	\??\g:	s1hk.1.exe
File opened (read-only)	\??\j:	s1hk.1.exe
File opened (read-only)	\??\k:	s1hk.1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\	s1hk.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1524	s1hk.1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
516	DllHost.exe
516	DllHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1588	2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe	26
PID 2020 wrote to memory of 1588	2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe	26
PID 2020 wrote to memory of 1588	2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe	26
PID 2020 wrote to memory of 1588	2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe	26
PID 2020 wrote to memory of 1760	2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe	27
PID 2020 wrote to memory of 1760	2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe	27
PID 2020 wrote to memory of 1760	2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe	27
PID 2020 wrote to memory of 1760	2020	dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe	27
PID 1760 wrote to memory of 952	1760	s1v4.1.exe	28
PID 1760 wrote to memory of 952	1760	s1v4.1.exe	28
PID 1760 wrote to memory of 952	1760	s1v4.1.exe	28
PID 1760 wrote to memory of 952	1760	s1v4.1.exe	28
PID 1588 wrote to memory of 1524	1588	s1v4..exe	30
PID 1588 wrote to memory of 1524	1588	s1v4..exe	30
PID 1588 wrote to memory of 1524	1588	s1v4..exe	30
PID 1588 wrote to memory of 1524	1588	s1v4..exe	30
PID 1524 wrote to memory of 1272	1524	s1hk.1.exe	11
PID 1524 wrote to memory of 2020	1524	s1hk.1.exe	16
PID 1524 wrote to memory of 1588	1524	s1hk.1.exe	26
PID 1524 wrote to memory of 1760	1524	s1hk.1.exe	27
PID 1524 wrote to memory of 952	1524	s1hk.1.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe
"C:\Users\Admin\AppData\Local\Temp\dd5340847edcc7f70ebc1444e869177df24fb14b87c57d48f449e74f8efa5e8f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\s1v4..exe
  "C:\Users\Admin\AppData\Local\Temp\s1v4..exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\s1hk.1.exe
    "C:\Users\Admin\AppData\Local\Temp\s1hk.1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1524
- C:\Users\Admin\AppData\Local\Temp\s1v4.1.exe
  "C:\Users\Admin\AppData\Local\Temp\s1v4.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\s1n0..exe
    "C:\Users\Admin\AppData\Local\Temp\s1n0..exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:952

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s1hk..JPG

Filesize
62KB

MD5
4604ce04e21a545ef20520c55dee28e6

SHA1
e95e869f2797ab7960510c8ec89bd6ce0b31d49c

SHA256
f225d88ff47d798359d0613f55f980c27fa2d5fa1829c96bb98ab479838bc768

SHA512
d9237384b670fd0d42bf7773b9c0b642ec145c33777d4a12d7b4f8dd5fa2747bdae9e26fd09257fbe2aee602c060995e8013e0469b54bd0a8ce047fdccf0fa63

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1hk.1.exe

Filesize
183KB

MD5
b97f31c417a83b71ec15009af2f2a2b7

SHA1
3b3572a600d4ad0377b7d783d387479abbd1a1a2

SHA256
8d5ada033845acf2f613c9f60220ca142f25fa7fdf530356c7c63bdc47ebca1e

SHA512
d65222fc35f46508424faf44395af4183562dd8f3cfc21a93ff6d1718c4f0fbb14f21ab45e85c3f02622fa87a35cf28bf7b39a4b91fcb9c011b11f4cbe3e4f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1hk.1.exe

Filesize
183KB

MD5
b97f31c417a83b71ec15009af2f2a2b7

SHA1
3b3572a600d4ad0377b7d783d387479abbd1a1a2

SHA256
8d5ada033845acf2f613c9f60220ca142f25fa7fdf530356c7c63bdc47ebca1e

SHA512
d65222fc35f46508424faf44395af4183562dd8f3cfc21a93ff6d1718c4f0fbb14f21ab45e85c3f02622fa87a35cf28bf7b39a4b91fcb9c011b11f4cbe3e4f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1n0..exe

Filesize
27KB

MD5
79944526763e2bdbd6baae0b4767a2cf

SHA1
8282fe00cdef71165b5751df348b401aa5d433a0

SHA256
b114feda1d6f3848633af3beb15912d23c60f1cd95dd0c994c36bad40412a64c

SHA512
0f5cea655387d9f8a0349289e07caf3ed50aabedaa7671a934437418d36265d897c8deba27c2b47d6e2e22083fe06ea48f0959356b5706b7322a87983dae5ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1n0..exe

Filesize
27KB

MD5
79944526763e2bdbd6baae0b4767a2cf

SHA1
8282fe00cdef71165b5751df348b401aa5d433a0

SHA256
b114feda1d6f3848633af3beb15912d23c60f1cd95dd0c994c36bad40412a64c

SHA512
0f5cea655387d9f8a0349289e07caf3ed50aabedaa7671a934437418d36265d897c8deba27c2b47d6e2e22083fe06ea48f0959356b5706b7322a87983dae5ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1n0.1.jpg

Filesize
72KB

MD5
c3427eafc955f9cd4a5db190b34841d6

SHA1
3b2f00d5a76052e218009a6b9b77c221e68db7d1

SHA256
f5042913f5ffd5f88dea8096ecb3f50cee983a7a3f0e19dd2d330cb5ae8a6f93

SHA512
d0a0d92bec8784e1cbfa81fa363501a1d29ad74fbdd02a2fcca5074ea51b5aadc1dc3786c5fd210d878d16dd957f5bcbb3d0465bd6fed55a6d8fa65b71f73541

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1v4..exe

Filesize
250KB

MD5
77cc93b86640acc2066584b4abd1b09e

SHA1
51d0dec23674603b30c46228f51e79904d4efd73

SHA256
53788b643b46df347b1e425f066049f397aebf7a511a4a3480b8a7b156fba8a8

SHA512
525c4766a2e07af46f2f81099fae63eeee1245132129ccfedcef77eec29094a0418fae7cb4bde5a195be54ff9cfbb141cf946406047ee45950ec10bc060c76e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1v4..exe

Filesize
250KB

MD5
77cc93b86640acc2066584b4abd1b09e

SHA1
51d0dec23674603b30c46228f51e79904d4efd73

SHA256
53788b643b46df347b1e425f066049f397aebf7a511a4a3480b8a7b156fba8a8

SHA512
525c4766a2e07af46f2f81099fae63eeee1245132129ccfedcef77eec29094a0418fae7cb4bde5a195be54ff9cfbb141cf946406047ee45950ec10bc060c76e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1v4.1.exe

Filesize
105KB

MD5
679b6606db8b1df8053e37c6c89ab2c1

SHA1
4f534742c2850fce8230dc6203574f6b49fabbec

SHA256
7e69a30d119e7a9c664e8a8873765f05b447f14fd48de3fd3ff15ab99a6d6d66

SHA512
3748e5704636198707ec97ed88362a54545865daa23509a96677cfe5f17dfe9c80f55345bc427512b1a24c2e64bc45c9be2d56cf4d3f234e993e2d9b54d4aa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1v4.1.exe

Filesize
105KB

MD5
679b6606db8b1df8053e37c6c89ab2c1

SHA1
4f534742c2850fce8230dc6203574f6b49fabbec

SHA256
7e69a30d119e7a9c664e8a8873765f05b447f14fd48de3fd3ff15ab99a6d6d66

SHA512
3748e5704636198707ec97ed88362a54545865daa23509a96677cfe5f17dfe9c80f55345bc427512b1a24c2e64bc45c9be2d56cf4d3f234e993e2d9b54d4aa64

Download Submit
\Users\Admin\AppData\Local\Temp\s1hk.1.exe

Filesize
183KB

MD5
b97f31c417a83b71ec15009af2f2a2b7

SHA1
3b3572a600d4ad0377b7d783d387479abbd1a1a2

SHA256
8d5ada033845acf2f613c9f60220ca142f25fa7fdf530356c7c63bdc47ebca1e

SHA512
d65222fc35f46508424faf44395af4183562dd8f3cfc21a93ff6d1718c4f0fbb14f21ab45e85c3f02622fa87a35cf28bf7b39a4b91fcb9c011b11f4cbe3e4f5c

Download Submit
\Users\Admin\AppData\Local\Temp\s1hk.1.exe

Filesize
183KB

MD5
b97f31c417a83b71ec15009af2f2a2b7

SHA1
3b3572a600d4ad0377b7d783d387479abbd1a1a2

SHA256
8d5ada033845acf2f613c9f60220ca142f25fa7fdf530356c7c63bdc47ebca1e

SHA512
d65222fc35f46508424faf44395af4183562dd8f3cfc21a93ff6d1718c4f0fbb14f21ab45e85c3f02622fa87a35cf28bf7b39a4b91fcb9c011b11f4cbe3e4f5c

Download Submit
\Users\Admin\AppData\Local\Temp\s1n0..exe

Filesize
27KB

MD5
79944526763e2bdbd6baae0b4767a2cf

SHA1
8282fe00cdef71165b5751df348b401aa5d433a0

SHA256
b114feda1d6f3848633af3beb15912d23c60f1cd95dd0c994c36bad40412a64c

SHA512
0f5cea655387d9f8a0349289e07caf3ed50aabedaa7671a934437418d36265d897c8deba27c2b47d6e2e22083fe06ea48f0959356b5706b7322a87983dae5ad4

Download Submit
\Users\Admin\AppData\Local\Temp\s1n0..exe

Filesize
27KB

MD5
79944526763e2bdbd6baae0b4767a2cf

SHA1
8282fe00cdef71165b5751df348b401aa5d433a0

SHA256
b114feda1d6f3848633af3beb15912d23c60f1cd95dd0c994c36bad40412a64c

SHA512
0f5cea655387d9f8a0349289e07caf3ed50aabedaa7671a934437418d36265d897c8deba27c2b47d6e2e22083fe06ea48f0959356b5706b7322a87983dae5ad4

Download Submit
\Users\Admin\AppData\Local\Temp\s1v4..exe

Filesize
250KB

MD5
77cc93b86640acc2066584b4abd1b09e

SHA1
51d0dec23674603b30c46228f51e79904d4efd73

SHA256
53788b643b46df347b1e425f066049f397aebf7a511a4a3480b8a7b156fba8a8

SHA512
525c4766a2e07af46f2f81099fae63eeee1245132129ccfedcef77eec29094a0418fae7cb4bde5a195be54ff9cfbb141cf946406047ee45950ec10bc060c76e6

Download Submit
\Users\Admin\AppData\Local\Temp\s1v4..exe

Filesize
250KB

MD5
77cc93b86640acc2066584b4abd1b09e

SHA1
51d0dec23674603b30c46228f51e79904d4efd73

SHA256
53788b643b46df347b1e425f066049f397aebf7a511a4a3480b8a7b156fba8a8

SHA512
525c4766a2e07af46f2f81099fae63eeee1245132129ccfedcef77eec29094a0418fae7cb4bde5a195be54ff9cfbb141cf946406047ee45950ec10bc060c76e6

Download Submit
\Users\Admin\AppData\Local\Temp\s1v4.1.exe

Filesize
105KB

MD5
679b6606db8b1df8053e37c6c89ab2c1

SHA1
4f534742c2850fce8230dc6203574f6b49fabbec

SHA256
7e69a30d119e7a9c664e8a8873765f05b447f14fd48de3fd3ff15ab99a6d6d66

SHA512
3748e5704636198707ec97ed88362a54545865daa23509a96677cfe5f17dfe9c80f55345bc427512b1a24c2e64bc45c9be2d56cf4d3f234e993e2d9b54d4aa64

Download Submit
\Users\Admin\AppData\Local\Temp\s1v4.1.exe

Filesize
105KB

MD5
679b6606db8b1df8053e37c6c89ab2c1

SHA1
4f534742c2850fce8230dc6203574f6b49fabbec

SHA256
7e69a30d119e7a9c664e8a8873765f05b447f14fd48de3fd3ff15ab99a6d6d66

SHA512
3748e5704636198707ec97ed88362a54545865daa23509a96677cfe5f17dfe9c80f55345bc427512b1a24c2e64bc45c9be2d56cf4d3f234e993e2d9b54d4aa64

Download Submit
memory/952-77-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/952-70-0x0000000000000000-mapping.dmp

Download
memory/952-90-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1524-81-0x0000000000000000-mapping.dmp

Download
memory/1524-86-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1524-87-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1588-58-0x0000000000000000-mapping.dmp

Download
memory/1588-85-0x0000000002B90000-0x0000000002C0E000-memory.dmp

Filesize
504KB

Download
memory/1760-89-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1760-75-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1760-76-0x0000000002640000-0x0000000002653000-memory.dmp

Filesize
76KB

Download
memory/1760-64-0x0000000000000000-mapping.dmp

Download
memory/2020-73-0x0000000002640000-0x0000000002647000-memory.dmp

Filesize
28KB

Download
memory/2020-88-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/2020-74-0x0000000002650000-0x0000000002657000-memory.dmp

Filesize
28KB

Download
memory/2020-55-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download