9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504

Analysis

max time kernel
144s
max time network
334s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe
Size

80KB
MD5

2589c61fc0c6b0bb50d0ecd7e8e29030
SHA1

c63034643400dbc120e17598e0deeee8bca0067c
SHA256

9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504
SHA512

e3462f30e981b80fab617e94fac51940f322288864abf9bdb1b33e7fa28c8c4c42c9559fdc04267fa2954f4de0dadfc43f537b9b7a49d9cc2fa621b8fb119c18
SSDEEP

768:bmkBfFyvn+GCwHtNVEjC1Xtjb+OJJxa91Ka0z22vL8LHlxf2l/xMe07UGjJdk2fV:CkBfFy27+1tjS3xp2pxOUGg1CTO+D

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	tofed.exe

Loads dropped DLL 2 IoCs

pid	Process
472	9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe
472	9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
472	9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe
1984	tofed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 1984	472	9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe	28
PID 472 wrote to memory of 1984	472	9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe	28
PID 472 wrote to memory of 1984	472	9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe	28
PID 472 wrote to memory of 1984	472	9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe	28

C:\Users\Admin\AppData\Local\Temp\9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe
"C:\Users\Admin\AppData\Local\Temp\9c7778398ec16b736b824bc460d4cb382abb39a69a1bbd97e4a65a0d8d153504.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472
- C:\Users\Admin\tofed.exe
  "C:\Users\Admin\tofed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tofed.exe

Filesize
80KB

MD5
b5d8443526b1e5c932eb713a17246623

SHA1
49372ba2fa9038b4fc2cc87de5d43abc21dce79d

SHA256
06dd514403cc7446aa7db2cd0646e4020281b0013f426cc82eb925f2fb6090d3

SHA512
114bf7909ed9432948fedd547a2a9f8c6ad48b3e5ef73bc33e34ae94f097ba0659031d4bcf07665a5899aedc7539b2ad4d54551a02c1640f2d56b32ebb1f65af

Download Submit
C:\Users\Admin\tofed.exe

Filesize
80KB

MD5
b5d8443526b1e5c932eb713a17246623

SHA1
49372ba2fa9038b4fc2cc87de5d43abc21dce79d

SHA256
06dd514403cc7446aa7db2cd0646e4020281b0013f426cc82eb925f2fb6090d3

SHA512
114bf7909ed9432948fedd547a2a9f8c6ad48b3e5ef73bc33e34ae94f097ba0659031d4bcf07665a5899aedc7539b2ad4d54551a02c1640f2d56b32ebb1f65af

Download Submit
\Users\Admin\tofed.exe

Filesize
80KB

MD5
b5d8443526b1e5c932eb713a17246623

SHA1
49372ba2fa9038b4fc2cc87de5d43abc21dce79d

SHA256
06dd514403cc7446aa7db2cd0646e4020281b0013f426cc82eb925f2fb6090d3

SHA512
114bf7909ed9432948fedd547a2a9f8c6ad48b3e5ef73bc33e34ae94f097ba0659031d4bcf07665a5899aedc7539b2ad4d54551a02c1640f2d56b32ebb1f65af

Download Submit
\Users\Admin\tofed.exe

Filesize
80KB

MD5
b5d8443526b1e5c932eb713a17246623

SHA1
49372ba2fa9038b4fc2cc87de5d43abc21dce79d

SHA256
06dd514403cc7446aa7db2cd0646e4020281b0013f426cc82eb925f2fb6090d3

SHA512
114bf7909ed9432948fedd547a2a9f8c6ad48b3e5ef73bc33e34ae94f097ba0659031d4bcf07665a5899aedc7539b2ad4d54551a02c1640f2d56b32ebb1f65af

Download Submit
memory/472-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download