Overview

overview

8

Static

static

f1a0b722f2...ad.exe

windows7-x64

8

f1a0b722f2...ad.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    197s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe

  • Size

    173KB

  • MD5

    3feb88a38d7e8692436aced0fbc5e798

  • SHA1

    e86aabad1cd6539e2e0cba7b4ae07d5b33fbde7f

  • SHA256

    f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad

  • SHA512

    e860a1052ebe3af9edb309bd303066de4ab77e116b6b81fd142e903a404ce77122453189acedc0008ded3640be570125833ed6e67673888bc7a2cd247d67facc

  • SSDEEP

    3072:CdclVo8bVCsZRb4k6m92rtby1l08ndSQGP:dnpR1X+tbyI8ndS

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe
    "C:\Users\Admin\AppData\Local\Temp\f1a0b722f22d7bc45a48c1a33ff07adaf1143ea382f6125062fd560bdede74ad.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\regedt32.exe
      "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
        3⤵
        • Runs .reg file with regedit
        PID:1184

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\Iterra\T03emp03.reg
    Filesize

    217B

    MD5

    8b5089251b1d4e6526987132f670ee69

    SHA1

    722088df8776176fd3fd91dab0e92535fee5198c

    SHA256

    9bdf5df802c45856bbabe8262a43fd251124bdb400108f01b271632a168b8fa7

    SHA512

    af3651bc21f960ab0f71377f9a957e990dde3680ff56780c539f83692f77922d1c3f5894af9dde3ddde45944d2ad253a752035c3f17e598f28bb2f9e92c09280

    Download Submit

  • \Users\Admin\Documents\Iterra\lnxmaij.dll
    Filesize

    41KB

    MD5

    138d049f208cafba11ce647464a74c83

    SHA1

    8b9c26a5dd9fdc8d8d376d1ef6fe62876068c657

    SHA256

    88b5c70fbc4dc678e4602a1427aa59951676402034ceff683fdf3d5aaa13780c

    SHA512

    6464d7735baf6a3a7516237a76bb532ec5aba4acbc17f5976f1d43e183ed63a99337505388e48c2cf679ec0b1aaf44acde1cf9bfb2bf0d5d22761215480d81c4

    Download Submit

  • memory/960-54-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-55-0x0000000075761000-0x0000000075763000-memory.dmp

    Filesize

    8KB

    Download

  • memory/960-61-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-63-0x00000000026E0000-0x00000000027B3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/960-64-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-65-0x00000000026E0000-0x00000000027B3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/960-66-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download