Analysis

  • max time kernel
    151s
  • max time network
    70s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 20:11

General

  • Target

    a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe

  • Size

    124KB

  • MD5

    52d197a8f2403b7cd836dc265b72a988

  • SHA1

    3407489236adab68e5e148aa4d3ab3b0c18117be

  • SHA256

    a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65

  • SHA512

    3087cb8caa73499283f6522e4d1597674e01c72a0566ab34de46c4fee4e49df0ffdacd49769a600e8db82120bd8fdde59263eaa95eed49dd724103c3970b6849

  • SSDEEP

    3072:ICMQBK3vXvOG2RdYjH08qdLxilMiyfwAfGxMwE:5M2K3vXWG4mzQLxilMiyfwAfGx

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
    "C:\Users\Admin\AppData\Local\Temp\a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\poaubi.exe
      "C:\Users\Admin\poaubi.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\poaubi.exe

    Filesize

    124KB

    MD5

    e21f0169e7b82f6a6892b99e0086af84

    SHA1

    a9d89551fae7e0e18708d6b03eaca3a825644103

    SHA256

    362c502399f58015cbc0f424b8223c5ada4d6db496b17516acae89900b5d84b8

    SHA512

    788bbbedb0e498cfc4547bf913af1d9e658b7fa4fecea035322e2b87a4a79a1e7d41dfde5049431831d3c80f0ed587695c5f24ef094206244cb33f76c97c2894

  • C:\Users\Admin\poaubi.exe

    Filesize

    124KB

    MD5

    e21f0169e7b82f6a6892b99e0086af84

    SHA1

    a9d89551fae7e0e18708d6b03eaca3a825644103

    SHA256

    362c502399f58015cbc0f424b8223c5ada4d6db496b17516acae89900b5d84b8

    SHA512

    788bbbedb0e498cfc4547bf913af1d9e658b7fa4fecea035322e2b87a4a79a1e7d41dfde5049431831d3c80f0ed587695c5f24ef094206244cb33f76c97c2894

  • \Users\Admin\poaubi.exe

    Filesize

    124KB

    MD5

    e21f0169e7b82f6a6892b99e0086af84

    SHA1

    a9d89551fae7e0e18708d6b03eaca3a825644103

    SHA256

    362c502399f58015cbc0f424b8223c5ada4d6db496b17516acae89900b5d84b8

    SHA512

    788bbbedb0e498cfc4547bf913af1d9e658b7fa4fecea035322e2b87a4a79a1e7d41dfde5049431831d3c80f0ed587695c5f24ef094206244cb33f76c97c2894

  • \Users\Admin\poaubi.exe

    Filesize

    124KB

    MD5

    e21f0169e7b82f6a6892b99e0086af84

    SHA1

    a9d89551fae7e0e18708d6b03eaca3a825644103

    SHA256

    362c502399f58015cbc0f424b8223c5ada4d6db496b17516acae89900b5d84b8

    SHA512

    788bbbedb0e498cfc4547bf913af1d9e658b7fa4fecea035322e2b87a4a79a1e7d41dfde5049431831d3c80f0ed587695c5f24ef094206244cb33f76c97c2894

  • memory/2028-56-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

    Filesize

    8KB