50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1

Analysis

max time kernel
42s
max time network
107s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe
Size

404KB
MD5

609ea2509019e198c8c6a903dec1f738
SHA1

2148f0a807ce1ffbe0509340c20581dc81b5c5ca
SHA256

50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1
SHA512

f2a295b5f72a1af0579805da64710291b2cf98428ca5ee32beb032812ee7f0a40e0ca20115418c0d2943e4509363d9fe5e6311c904bc53250f4d9e5615f41065
SSDEEP

12288:BK2mhAMJ/cPlJYh0GNDCkCpsWndJXDYD4hY:w2O/GlJEDWndJTYsu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1408	servers.sfx.exe

Loads dropped DLL 1 IoCs

pid	Process
1804	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	servers.sfx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1408	servers.sfx.exe
1408	servers.sfx.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1804	1948	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	27
PID 1948 wrote to memory of 1804	1948	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	27
PID 1948 wrote to memory of 1804	1948	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	27
PID 1948 wrote to memory of 1804	1948	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	27
PID 1948 wrote to memory of 1804	1948	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	27
PID 1948 wrote to memory of 1804	1948	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	27
PID 1948 wrote to memory of 1804	1948	50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe	27
PID 1804 wrote to memory of 1408	1804	cmd.exe	29
PID 1804 wrote to memory of 1408	1804	cmd.exe	29
PID 1804 wrote to memory of 1408	1804	cmd.exe	29
PID 1804 wrote to memory of 1408	1804	cmd.exe	29
PID 1804 wrote to memory of 1408	1804	cmd.exe	29
PID 1804 wrote to memory of 1408	1804	cmd.exe	29
PID 1804 wrote to memory of 1408	1804	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe
"C:\Users\Admin\AppData\Local\Temp\50e35b329dbe430856433c8654391ccadf7c65c0b918592c5b8e9b6f750cb6e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\encrypter.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\servers.sfx.exe
    Servers.sfx.exe -pabc123 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\encrypter.bat

Filesize
33B

MD5
cb433c4362646249333d790031a8e035

SHA1
5cf0888ee46a69c5924116ec19dfc6f2cbaa507b

SHA256
63e84b53b19a275a0c93fd15fba41f813b998b8daa0089bbb12eb6729922963e

SHA512
d8e90e9d031b1bd3a9ba7035cdcb0d219bf89b278c3d7460ba27518b579875a211d343379f8c0c1e8f05c867271993f3f12d471ac916df10e966f75b332e5374

Download Submit
C:\Users\Admin\AppData\Local\Temp\servers.sfx.exe

Filesize
350KB

MD5
e4285290f1ce7e9241a82092ae5d4c5e

SHA1
cb7eef2c96c183da62446134ef1e6df8ebeb9d10

SHA256
4702d2de6777bf2f3b0dab0df6f4b337941d23af85f8237a815f11087cbe64b3

SHA512
12d603f71bdb47fc9b2f99c5af1e1910a5a83f1a79b4cc32bb51c21c95a14426eaf48b0119d5658d80354710696c4c0f1c213d83f6bde5794a684695115b5354

Download Submit
C:\Users\Admin\AppData\Local\Temp\servers.sfx.exe

Filesize
350KB

MD5
e4285290f1ce7e9241a82092ae5d4c5e

SHA1
cb7eef2c96c183da62446134ef1e6df8ebeb9d10

SHA256
4702d2de6777bf2f3b0dab0df6f4b337941d23af85f8237a815f11087cbe64b3

SHA512
12d603f71bdb47fc9b2f99c5af1e1910a5a83f1a79b4cc32bb51c21c95a14426eaf48b0119d5658d80354710696c4c0f1c213d83f6bde5794a684695115b5354

Download Submit
\Users\Admin\AppData\Local\Temp\servers.sfx.exe

Filesize
350KB

MD5
e4285290f1ce7e9241a82092ae5d4c5e

SHA1
cb7eef2c96c183da62446134ef1e6df8ebeb9d10

SHA256
4702d2de6777bf2f3b0dab0df6f4b337941d23af85f8237a815f11087cbe64b3

SHA512
12d603f71bdb47fc9b2f99c5af1e1910a5a83f1a79b4cc32bb51c21c95a14426eaf48b0119d5658d80354710696c4c0f1c213d83f6bde5794a684695115b5354

Download Submit
memory/1948-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download