Analysis
-
max time kernel
186s -
max time network
200s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
Resource
win10v2004-20220812-en
General
-
Target
a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe
-
Size
153KB
-
MD5
5b1931b78644abc16bbd7e8b6269b3ff
-
SHA1
fb7447b14920670f579ff42fb69d4f2fc29ec757
-
SHA256
a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879
-
SHA512
84ad29c54448fb372114b635b92e9c3f04d8970807492589ed5991917ff1b061655ddbe795807691e55ca5cd406060adb50df6e43fb1d963b1d38c31523221ce
-
SSDEEP
3072:oLv3G9oX0gJNHHHHHLXXXXXX7rXXXSsnBSpFuFqkD6gZemy1ndT5ml:8GrgJNHHHHHLXXXXXX7rXXXSsnk4qcy3
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 1 IoCs
pid Process 1680 regedit.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1676 wrote to memory of 268 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 28 PID 1676 wrote to memory of 268 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 28 PID 1676 wrote to memory of 268 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 28 PID 1676 wrote to memory of 268 1676 a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe 28 PID 268 wrote to memory of 1680 268 regedt32.exe 29 PID 268 wrote to memory of 1680 268 regedt32.exe 29 PID 268 wrote to memory of 1680 268 regedt32.exe 29 PID 268 wrote to memory of 1680 268 regedt32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe"C:\Users\Admin\AppData\Local\Temp\a0dcedb74bab740eb05a6e7c6e9a31481d5480c2d7c039a8fac0f3f2311bb879.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\regedt32.exe"C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"3⤵
- Runs .reg file with regedit
PID:1680
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217B
MD5da26e1f40f495914e3c2dd2947202ed7
SHA1399b02e0f3cca489967112426b351cb76eaee3f9
SHA25646a911c617dea2346a49fec1537bdbf3804792d733bf75ed1e90e60cfd6be201
SHA512d07c9ef0bad627a34148ce48fdc19027882860e0ca55764356b1093cf7d9cc9cf2c2a180582fc06ae1a7499317840336a93cf14e5e18788b2d47e26fa9a383f0
-
Filesize
42KB
MD5c7f36664b64e2f2dc95e99eddc4d5259
SHA1f28b41f062c021b81f6cb8ee9b1c785485a552ae
SHA256524e2540c8ed613ee020f55d1e2226ba70ad14793b268444a9f246402c023cca
SHA5125f2d8bb427796c27fcb940b7fd43517f5e7f9696f78f168aa0ed45c6c074f1a9e2f0c42969531aa9c900ba7cb0be9c2e3ba472441f8a43ff1e017040aa36a92d