f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad

Analysis

max time kernel
1s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe
Size

1.6MB
MD5

d197aa94f519089e147eefa626e75889
SHA1

70988dd4ea632079cbf87cd53ef3e49649ad31f4
SHA256

f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad
SHA512

e04f70c5e4df3df177ad4c336e1434328a1eee27d5dd2a47e4933959e0f6da86ed85eb6cdb33632fa289354058ddcaa4cc2606c7eb5d61ad913f2e91a41e02be
SSDEEP

24576:ndp3UYUb2iz88tlJ4E54PmPTiAT08xu0gCONiRz6GLha72yg+PJUT/oD:ncYOF54E5PbiAT0I9gCOyz6d70+KW

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
620	install.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014a3e-68.dat	upx
behavioral1/files/0x0006000000014a3e-75.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
1448	f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe
620	install.exe
620	install.exe
620	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 620	1448	f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe	27
PID 1448 wrote to memory of 620	1448	f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe	27
PID 1448 wrote to memory of 620	1448	f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe	27
PID 1448 wrote to memory of 620	1448	f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe	27
PID 1448 wrote to memory of 620	1448	f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe	27
PID 1448 wrote to memory of 620	1448	f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe	27
PID 1448 wrote to memory of 620	1448	f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe	27

C:\Users\Admin\AppData\Local\Temp\f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe
"C:\Users\Admin\AppData\Local\Temp\f775b93fcbf33e00f307b1810821a01992484a047b546d12af5095a56adaacad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Roaming\Microsoft\install.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:620
- - C:\Users\Admin\AppData\Local\isass.exe
    C:\Users\Admin\AppData\Local\isass.exe
    3⤵
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\isass.exe

Filesize
416KB

MD5
efd8dc764cfbbda87b223f8cf29ba46f

SHA1
fecca52b8b9ea065aec04022b912f600572c2e76

SHA256
d115d766cedb62ac071f08b5cd3786892099815f36257c27aa593909a67d9df2

SHA512
8376d94224e2ba949a0bf2986e6defe7bc067b7afeddeff6677a5d911c90225c9058d7de48ceb941f0c3de5f654bfb1b0c89583ff2eee432571f3233f2f3c4e5

Download Submit
C:\Users\Admin\AppData\Local\probot.exe

Filesize
64KB

MD5
a960a538058855ae030ee741d8b3ef99

SHA1
6ccdeee770026e3fbabbeaf5c566c41869718a39

SHA256
65ec8eb0bc6b2a3556f9c9488dc76a5922a524e0fa933562f7d3b01ef93ab38b

SHA512
b6c53fb623df4edbd5138ba205d452d9a05c63ebd16a1dcc3d90432540f1c1ec6572c98c72ed2a6ca76dd799021c1d398d51491ac6764a1bd946ebe741bdbdce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\install.exe

Filesize
1.2MB

MD5
52595aa8321f5539c9a5511847bdc980

SHA1
1cfa096de087d211e2b7f25c2e7cfd3e29649738

SHA256
53efe8ada8dee4cef4f9d1d68749f2f62bceca66c2f6f8b4e317c70d30771b22

SHA512
73ad534aa59b33a2eb42d1a8d1c706ad9ef0655b009be6265d3a0820d9f830471d18515cefaff53dd0adad483752791132dc0bab0246ebeeb6f48d106147a361

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\install.exe

Filesize
1.1MB

MD5
6367b571150dcb1fb1b3639b6c5123b9

SHA1
574700df9471dcbe954596322fa5f2d8d716397d

SHA256
439c75ee3021d2511b9e235519d19b287d89dafd4f712300a92d0839ea85ca4b

SHA512
91c5b92ecd1381e154304e7af5ee198d5cba2d01a607b46847fe1427bec1bd28967693662c9bf87fa38610014d561fdae4769cdc2f4a2770238cd4aa333ea87c

Download Submit
\Users\Admin\AppData\Local\isass.exe

Filesize
416KB

MD5
efd8dc764cfbbda87b223f8cf29ba46f

SHA1
fecca52b8b9ea065aec04022b912f600572c2e76

SHA256
d115d766cedb62ac071f08b5cd3786892099815f36257c27aa593909a67d9df2

SHA512
8376d94224e2ba949a0bf2986e6defe7bc067b7afeddeff6677a5d911c90225c9058d7de48ceb941f0c3de5f654bfb1b0c89583ff2eee432571f3233f2f3c4e5

Download Submit
\Users\Admin\AppData\Local\isass.exe

Filesize
192KB

MD5
e0f883c9dafd95455126b28255373766

SHA1
b802f49fbcd4ca056ac2753416a0c45be8ae732d

SHA256
aa594a289f2bb91825c4ef44c45a151c17ba495580be52b3549ba37c9df6fcbc

SHA512
1a782ff8efb5e86f28f193fcc178c80c8c968864d22a6936898966f0a59a7b07696ca480f88215c4a07ff1323f3fbad380a4d7ad3912cd2b778bd040c9052f6f

Download Submit
\Users\Admin\AppData\Local\probot.exe

Filesize
64KB

MD5
a960a538058855ae030ee741d8b3ef99

SHA1
6ccdeee770026e3fbabbeaf5c566c41869718a39

SHA256
65ec8eb0bc6b2a3556f9c9488dc76a5922a524e0fa933562f7d3b01ef93ab38b

SHA512
b6c53fb623df4edbd5138ba205d452d9a05c63ebd16a1dcc3d90432540f1c1ec6572c98c72ed2a6ca76dd799021c1d398d51491ac6764a1bd946ebe741bdbdce

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\install.exe

Filesize
1.2MB

MD5
52595aa8321f5539c9a5511847bdc980

SHA1
1cfa096de087d211e2b7f25c2e7cfd3e29649738

SHA256
53efe8ada8dee4cef4f9d1d68749f2f62bceca66c2f6f8b4e317c70d30771b22

SHA512
73ad534aa59b33a2eb42d1a8d1c706ad9ef0655b009be6265d3a0820d9f830471d18515cefaff53dd0adad483752791132dc0bab0246ebeeb6f48d106147a361

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\install.exe

Filesize
768KB

MD5
86851ef60c32df9a32d8f16853f3b3da

SHA1
f5a9636b29ac302dbca6982e63e5dca6b6f92193

SHA256
a650e0c6aa8555c812896e97eb6433e496d2ada16a5de74821b9b173497b8809

SHA512
4e7f68ae27c0bfa875f1fd91ec25a6806364b45a3e6676ca5470b0d1bbe8ed6052a36328b5d791397e4002912ccce32077ba6846b538ab838c9ef548c2b235a8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\install.exe

Filesize
832KB

MD5
3fa22be34f9b49caeaaefe2afc8cdf01

SHA1
4a4eef09d88a1dba07b4f38ae55d14106040de84

SHA256
703598dfaeb5144dd05a1caa9a82bb1a5200bf6edcfd116a76fe3d51c47147c6

SHA512
8d764c59856e38a1be2d197ebe807391ca8b3cadbebbb77ac1221ce6e975c447cfcd3cd1d9b4083795b3222674450e89b0c699e294158b52155caecacb614795

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\install.exe

Filesize
768KB

MD5
86851ef60c32df9a32d8f16853f3b3da

SHA1
f5a9636b29ac302dbca6982e63e5dca6b6f92193

SHA256
a650e0c6aa8555c812896e97eb6433e496d2ada16a5de74821b9b173497b8809

SHA512
4e7f68ae27c0bfa875f1fd91ec25a6806364b45a3e6676ca5470b0d1bbe8ed6052a36328b5d791397e4002912ccce32077ba6846b538ab838c9ef548c2b235a8

Download Submit
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download