Analysis

  • max time kernel
    186s
  • max time network
    200s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 16:27

General

  • Target

    a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe

  • Size

    153KB

  • MD5

    5b1931b78644abc16bbd7e8b6269b3ff

  • SHA1

    fb7447b14920670f579ff42fb69d4f2fc29ec757

  • SHA256

    a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879

  • SHA512

    84ad29c54448fb372114b635b92e9c3f04d8970807492589ed5991917ff1b061655ddbe795807691e55ca5cd406060adb50df6e43fb1d963b1d38c31523221ce

  • SSDEEP

    3072:oLv3G9oX0gJNHHHHHLXXXXXX7rXXXSsnBSpFuFqkD6gZemy1ndT5ml:8GrgJNHHHHHLXXXXXX7rXXXSsnk4qcy3

Score
8/10

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
    "C:\Users\Admin\AppData\Local\Temp\a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SysWOW64\regedt32.exe
      "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWOW64\regedit.exe
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
        3⤵
        • Runs .reg file with regedit
        PID:1680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\Iterra\T03emp03.reg

    Filesize

    217B

    MD5

    da26e1f40f495914e3c2dd2947202ed7

    SHA1

    399b02e0f3cca489967112426b351cb76eaee3f9

    SHA256

    46a911c617dea2346a49fec1537bdbf3804792d733bf75ed1e90e60cfd6be201

    SHA512

    d07c9ef0bad627a34148ce48fdc19027882860e0ca55764356b1093cf7d9cc9cf2c2a180582fc06ae1a7499317840336a93cf14e5e18788b2d47e26fa9a383f0

  • \Users\Admin\Documents\Iterra\efmbwmi.dll

    Filesize

    42KB

    MD5

    c7f36664b64e2f2dc95e99eddc4d5259

    SHA1

    f28b41f062c021b81f6cb8ee9b1c785485a552ae

    SHA256

    524e2540c8ed613ee020f55d1e2226ba70ad14793b268444a9f246402c023cca

    SHA512

    5f2d8bb427796c27fcb940b7fd43517f5e7f9696f78f168aa0ed45c6c074f1a9e2f0c42969531aa9c900ba7cb0be9c2e3ba472441f8a43ff1e017040aa36a92d

  • memory/1676-54-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1676-55-0x0000000075A31000-0x0000000075A33000-memory.dmp

    Filesize

    8KB

  • memory/1676-56-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1676-63-0x0000000002650000-0x0000000002723000-memory.dmp

    Filesize

    844KB

  • memory/1676-64-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1676-65-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB