aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161

Analysis

max time kernel
34s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe
Size

37KB
MD5

ba07e86ce5bccbb4a9a9cdafef15f697
SHA1

f0a4f538bfcd9138b195ca0a2b1e8939d8c79310
SHA256

aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161
SHA512

4cba5bc48c53928c16cd801f58d0a4cc6e3b8447df0ee6b5aec0ff0b8172b3fb9631c34c7e5baef82c8e4991eee1a2c3d2b8f580028835825ade0deab8ad668a
SSDEEP

768:qhngu9Tmmdm3XR1hrNlYgu2O0cxBntsA7p5ULFnbiFJzuI6rwR:wTmmdm3hDrNlxH4l7p5YFnbiFl6rI

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
JaKeIsJaCk1

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	MCCodeGenerator.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	MCCodeGenerator.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	MCCodeGenerator.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 2036	364	aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe	26
PID 364 wrote to memory of 2036	364	aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe	26
PID 364 wrote to memory of 2036	364	aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe	26

C:\Users\Admin\AppData\Local\Temp\aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe
"C:\Users\Admin\AppData\Local\Temp\aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Roaming\MCCodeGenerator.exe
  "C:\Users\Admin\AppData\Roaming\MCCodeGenerator.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MCCodeGenerator.exe

Filesize
37KB

MD5
ba07e86ce5bccbb4a9a9cdafef15f697

SHA1
f0a4f538bfcd9138b195ca0a2b1e8939d8c79310

SHA256
aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161

SHA512
4cba5bc48c53928c16cd801f58d0a4cc6e3b8447df0ee6b5aec0ff0b8172b3fb9631c34c7e5baef82c8e4991eee1a2c3d2b8f580028835825ade0deab8ad668a

Download Submit
C:\Users\Admin\AppData\Roaming\MCCodeGenerator.exe

Filesize
37KB

MD5
ba07e86ce5bccbb4a9a9cdafef15f697

SHA1
f0a4f538bfcd9138b195ca0a2b1e8939d8c79310

SHA256
aa04e7d4e6e10f7ec618631a812d0f7941cc43f1fcad2992d20c86831bde9161

SHA512
4cba5bc48c53928c16cd801f58d0a4cc6e3b8447df0ee6b5aec0ff0b8172b3fb9631c34c7e5baef82c8e4991eee1a2c3d2b8f580028835825ade0deab8ad668a

Download Submit
memory/364-54-0x000007FEF3A10000-0x000007FEF4433000-memory.dmp

Filesize
10.1MB

Download
memory/364-55-0x000007FEF2970000-0x000007FEF3A06000-memory.dmp

Filesize
16.6MB

Download
memory/364-56-0x00000000021B6000-0x00000000021D5000-memory.dmp

Filesize
124KB

Download
memory/364-57-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/364-63-0x00000000021B6000-0x00000000021D5000-memory.dmp

Filesize
124KB

Download
memory/2036-61-0x000007FEF3A10000-0x000007FEF4433000-memory.dmp

Filesize
10.1MB

Download
memory/2036-62-0x000007FEF2970000-0x000007FEF3A06000-memory.dmp

Filesize
16.6MB

Download