Analysis

  • max time kernel
    151s
  • max time network
    85s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 16:26

General

  • Target

    a07770319f34ad78cc64e085ecdc8434b730eba30d61efc630e6ffeadcd65b59.exe

  • Size

    124KB

  • MD5

    83ffbe9067e7699ae598508c11b4ed40

  • SHA1

    505451e8c266e6b5c60f979e2986ecbb6a457e84

  • SHA256

    a07770319f34ad78cc64e085ecdc8434b730eba30d61efc630e6ffeadcd65b59

  • SHA512

    c049619dfdfd32518a949d8df383a480ad21f0f14fcca0a41dd4d69fd2a7e6228ca3c04b5365e53a5d3a7edc6f93bd11617a1ecbb5550204cbd7718a4ff9778f

  • SSDEEP

    1536:ydEHhwRguBxeDtMYHa27J14ltxporZ45i8NeG0h/l:+EHhwRgkeV6gJ1uCt45yt

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a07770319f34ad78cc64e085ecdc8434b730eba30d61efc630e6ffeadcd65b59.exe
    "C:\Users\Admin\AppData\Local\Temp\a07770319f34ad78cc64e085ecdc8434b730eba30d61efc630e6ffeadcd65b59.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\tkdouz.exe
      "C:\Users\Admin\tkdouz.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\tkdouz.exe

    Filesize

    124KB

    MD5

    cea488f5710beac7ccbfc5faa2e8582c

    SHA1

    47f61df77993eb2d939bb360f68b70b1f4f6dbea

    SHA256

    efb6826d03912a92ad89d0fece133c46a81621050b54152b550238421f3b6c70

    SHA512

    9c414bdb83d95a0f5c92b1b8a0181ccdfac2113802e96fffd32fcadff0e48d8c6b0829366dbdfbe97f1bcd15c4f50cd03065a5ded3b1b1843ad484db55f44ddc

  • C:\Users\Admin\tkdouz.exe

    Filesize

    124KB

    MD5

    cea488f5710beac7ccbfc5faa2e8582c

    SHA1

    47f61df77993eb2d939bb360f68b70b1f4f6dbea

    SHA256

    efb6826d03912a92ad89d0fece133c46a81621050b54152b550238421f3b6c70

    SHA512

    9c414bdb83d95a0f5c92b1b8a0181ccdfac2113802e96fffd32fcadff0e48d8c6b0829366dbdfbe97f1bcd15c4f50cd03065a5ded3b1b1843ad484db55f44ddc

  • \Users\Admin\tkdouz.exe

    Filesize

    124KB

    MD5

    cea488f5710beac7ccbfc5faa2e8582c

    SHA1

    47f61df77993eb2d939bb360f68b70b1f4f6dbea

    SHA256

    efb6826d03912a92ad89d0fece133c46a81621050b54152b550238421f3b6c70

    SHA512

    9c414bdb83d95a0f5c92b1b8a0181ccdfac2113802e96fffd32fcadff0e48d8c6b0829366dbdfbe97f1bcd15c4f50cd03065a5ded3b1b1843ad484db55f44ddc

  • \Users\Admin\tkdouz.exe

    Filesize

    124KB

    MD5

    cea488f5710beac7ccbfc5faa2e8582c

    SHA1

    47f61df77993eb2d939bb360f68b70b1f4f6dbea

    SHA256

    efb6826d03912a92ad89d0fece133c46a81621050b54152b550238421f3b6c70

    SHA512

    9c414bdb83d95a0f5c92b1b8a0181ccdfac2113802e96fffd32fcadff0e48d8c6b0829366dbdfbe97f1bcd15c4f50cd03065a5ded3b1b1843ad484db55f44ddc

  • memory/1168-56-0x00000000760E1000-0x00000000760E3000-memory.dmp

    Filesize

    8KB