d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d

Analysis

max time kernel
41s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
Size

380KB
MD5

92755b55559f0e8bdb99349174492f5c
SHA1

bf9f6475fde5952e4ed0e2fbbef752912abb0b94
SHA256

d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d
SHA512

80395cfba34752a6cecafc9387ad486368d507af95b41c76977fa52b5f0fe1b6e7e56c101234f319f541f9884ea9b093dbdb2d5545947eddfa1af7fbef6dd2e0
SSDEEP

6144:Qoy8kq/mn2Ty3WgROsgykVl/j7sBfZpJ+ssVQxTzXHEXU0/X9zbKlkc9JnzCvz7N:lLUY4kVl7Y/mVQ1raU4XlbKlJzc7rcK3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1396	27.sfx.exe
756	27.exe

Loads dropped DLL 3 IoCs

pid	Process
892	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
1396	27.sfx.exe
1396	27.sfx.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\found.exe	27.exe
File opened for modification	C:\Windows\SysWOW64\found.exe	27.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\found32.dll	27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32\ = "C:\\Windows\\Debug\\found32.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1712	regedit.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 1396	892	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe	27
PID 892 wrote to memory of 1396	892	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe	27
PID 892 wrote to memory of 1396	892	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe	27
PID 892 wrote to memory of 1396	892	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe	27
PID 1396 wrote to memory of 756	1396	27.sfx.exe	29
PID 1396 wrote to memory of 756	1396	27.sfx.exe	29
PID 1396 wrote to memory of 756	1396	27.sfx.exe	29
PID 1396 wrote to memory of 756	1396	27.sfx.exe	29
PID 756 wrote to memory of 1892	756	27.exe	30
PID 756 wrote to memory of 1892	756	27.exe	30
PID 756 wrote to memory of 1892	756	27.exe	30
PID 756 wrote to memory of 1892	756	27.exe	30
PID 756 wrote to memory of 628	756	27.exe	32
PID 756 wrote to memory of 628	756	27.exe	32
PID 756 wrote to memory of 628	756	27.exe	32
PID 756 wrote to memory of 628	756	27.exe	32
PID 1892 wrote to memory of 1712	1892	cmd.exe	34
PID 1892 wrote to memory of 1712	1892	cmd.exe	34
PID 1892 wrote to memory of 1712	1892	cmd.exe	34
PID 1892 wrote to memory of 1712	1892	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
"C:\Users\Admin\AppData\Local\Temp\d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\fnous.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Users\Admin\AppData\Local\Temp\nothks.reg
        5⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe"
      4⤵
      PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe

Filesize
194KB

MD5
85529ed8be19e0cfc8408a541f02e19f

SHA1
ca0e15300463621bec1fc91728000f1a73a3e461

SHA256
aa4a476faff39936588e29ef13f36460f00232e9e2346064ea13cc415a9311c5

SHA512
a5c501c4b7d0ad3872308e4e9bcefd4d3e9d13e07303ffaacc841057517c8238f348beadd9538f81a663e9c8c543fd5ad2365302780ef08eba0c1cd3f303b286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe

Filesize
194KB

MD5
85529ed8be19e0cfc8408a541f02e19f

SHA1
ca0e15300463621bec1fc91728000f1a73a3e461

SHA256
aa4a476faff39936588e29ef13f36460f00232e9e2346064ea13cc415a9311c5

SHA512
a5c501c4b7d0ad3872308e4e9bcefd4d3e9d13e07303ffaacc841057517c8238f348beadd9538f81a663e9c8c543fd5ad2365302780ef08eba0c1cd3f303b286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe

Filesize
265KB

MD5
b6bfaab8c3930f7f662eae3409f50e1e

SHA1
1a095262ed56ce4fcda7471536302a1056f84e65

SHA256
552399c08861d1590324c67daf57de58a6bd9dcb027a80baa8313c57124cd518

SHA512
ee04c5b601898b398a34beebe82c6b40203900c797836d93aeb10c8b645ec19f312f35dd817e3c10d79ff67ed6ce1d9832cb70e635d66f6c22e450fc122727e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe

Filesize
265KB

MD5
b6bfaab8c3930f7f662eae3409f50e1e

SHA1
1a095262ed56ce4fcda7471536302a1056f84e65

SHA256
552399c08861d1590324c67daf57de58a6bd9dcb027a80baa8313c57124cd518

SHA512
ee04c5b601898b398a34beebe82c6b40203900c797836d93aeb10c8b645ec19f312f35dd817e3c10d79ff67ed6ce1d9832cb70e635d66f6c22e450fc122727e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnous.bat

Filesize
126B

MD5
7ab275c1bc8750fe49119429e12ab856

SHA1
ea556c59c5d3f2be584d2e208ba42a1540f46986

SHA256
8d96bacc0e4651d7b8c27613f3f721bb89ca9fb9430bab66b2ef90bfe8cb5bb3

SHA512
7fe4bce942523a6adde6d83fc2f63302283f3e0642db4f9f650d50ba8f6f2b7b587229736521615d54b596f24a23146ab7aecb512c145b8dc4b81050ac3576c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nothks.reg

Filesize
403B

MD5
e1db5e72383ca2535cc04d98efb0f6e6

SHA1
b3407d394658ad2d4ef59179fd2ddd419a1dc1d7

SHA256
52a9ba0c766a4da941eb674797f1770712e64e2d2104271b4ff6368a45ba5c31

SHA512
6ac5c144d0103b722a7203b04f79b3c691ff1393b59555a7ccd454a10a64e2c60111e9e45dc1fdaa3fdf180fac2b0416250aa0180a946c772bd3f1225c15c095

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe

Filesize
194KB

MD5
85529ed8be19e0cfc8408a541f02e19f

SHA1
ca0e15300463621bec1fc91728000f1a73a3e461

SHA256
aa4a476faff39936588e29ef13f36460f00232e9e2346064ea13cc415a9311c5

SHA512
a5c501c4b7d0ad3872308e4e9bcefd4d3e9d13e07303ffaacc841057517c8238f348beadd9538f81a663e9c8c543fd5ad2365302780ef08eba0c1cd3f303b286

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe

Filesize
194KB

MD5
85529ed8be19e0cfc8408a541f02e19f

SHA1
ca0e15300463621bec1fc91728000f1a73a3e461

SHA256
aa4a476faff39936588e29ef13f36460f00232e9e2346064ea13cc415a9311c5

SHA512
a5c501c4b7d0ad3872308e4e9bcefd4d3e9d13e07303ffaacc841057517c8238f348beadd9538f81a663e9c8c543fd5ad2365302780ef08eba0c1cd3f303b286

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe

Filesize
265KB

MD5
b6bfaab8c3930f7f662eae3409f50e1e

SHA1
1a095262ed56ce4fcda7471536302a1056f84e65

SHA256
552399c08861d1590324c67daf57de58a6bd9dcb027a80baa8313c57124cd518

SHA512
ee04c5b601898b398a34beebe82c6b40203900c797836d93aeb10c8b645ec19f312f35dd817e3c10d79ff67ed6ce1d9832cb70e635d66f6c22e450fc122727e8

Download Submit
memory/756-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1396-60-0x0000000074351000-0x0000000074353000-memory.dmp

Filesize
8KB

Download