b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7

Analysis

max time kernel
192s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe
Size

92KB
MD5

b72b1f0f7528b4a7055ebc1ff1fc4af9
SHA1

58e0b4749b2b08811677b5da729372b8baceba9a
SHA256

b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7
SHA512

994a31bdceebee992a8062721d8d86c9c3572063398367627da3ab864b3d216ca77295ef5c33450a5931211141c02dff030b4ca4bb9248cd22db1203f5e641de
SSDEEP

1536:5xk7LJVGdm9RUAAUCTBkk46Nj3R28Fu2gg1ODzQmmsEZFTceN:Q74m9ULD28QNg1OnQ1sMueN

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4580	Explorer.exe
4940	explorer.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ouycqd Uqaknxna\Explorer.exe	b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe
File opened for modification	C:\Program Files (x86)\Bqjfgqfgcx\28625	Explorer.exe
File opened for modification	C:\Program Files (x86)\Bqjfgqfgcx\12824	Explorer.exe
File opened for modification	C:\Program Files (x86)\Bqjfgqfgcx\Path.rcd	b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe
File created	C:\Program Files (x86)\Ouycqd Uqaknxna\Explorer.exe	b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	Explorer.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe
4580	Explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4580	2104	b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe	85
PID 2104 wrote to memory of 4580	2104	b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe	85
PID 2104 wrote to memory of 4580	2104	b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe	85
PID 4580 wrote to memory of 4940	4580	Explorer.exe	86
PID 4580 wrote to memory of 4940	4580	Explorer.exe	86
PID 4580 wrote to memory of 4940	4580	Explorer.exe	86

C:\Users\Admin\AppData\Local\Temp\b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe
"C:\Users\Admin\AppData\Local\Temp\b774466cbf5e7682dc7aed6dc00b072676964eb3bf5288078763f249258a6ac7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files (x86)\Ouycqd Uqaknxna\Explorer.exe
  .
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Program Files (x86)\Ouycqd Uqaknxna\explorer.exe
    explorer.exe
    3⤵
    - Executes dropped EXE
    PID:4940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bqjfgqfgcx\Path.rcd

Filesize
260B

MD5
bdb6d24c37cf01692c3ea5591446015d

SHA1
fca90c08bb5e019f494ecd9bfabdc36b5a43bba3

SHA256
3bec0b01c2ac14ca00841fad20586914b79a0829e9774b1fcded2ee3cf268c13

SHA512
2e3c9b56dab0bcb7e7f831afb36198401d0320987248e2d90237a8882c7835a371d81c1bbb3bb0eba6219256ea251ba0c36a05241f86f42e7aa76b557e9c2651

Download Submit
C:\Program Files (x86)\Ouycqd Uqaknxna\Explorer.exe

Filesize
8.6MB

MD5
50d7a3a7f0a867122b4149d0f7bccd87

SHA1
eb94797660abce8d9220d65309c0eac34f6c8996

SHA256
d810bb7149a112cac4fdbdbbf3b33044a74783280c1cc600b494e5ee3d9d2254

SHA512
a9dc44d8bb1b7cf2bb4cfe7e4e98dfa7c7e432f94157a879e4bc7a185160197f20fb50f98ae60b5c899e65383565adc17c55b06dc876ab2789af4dceedb04163

Download Submit
C:\Program Files (x86)\Ouycqd Uqaknxna\Explorer.exe

Filesize
8.6MB

MD5
50d7a3a7f0a867122b4149d0f7bccd87

SHA1
eb94797660abce8d9220d65309c0eac34f6c8996

SHA256
d810bb7149a112cac4fdbdbbf3b33044a74783280c1cc600b494e5ee3d9d2254

SHA512
a9dc44d8bb1b7cf2bb4cfe7e4e98dfa7c7e432f94157a879e4bc7a185160197f20fb50f98ae60b5c899e65383565adc17c55b06dc876ab2789af4dceedb04163

Download Submit
C:\Program Files (x86)\Ouycqd Uqaknxna\Explorer.exe

Filesize
8.6MB

MD5
50d7a3a7f0a867122b4149d0f7bccd87

SHA1
eb94797660abce8d9220d65309c0eac34f6c8996

SHA256
d810bb7149a112cac4fdbdbbf3b33044a74783280c1cc600b494e5ee3d9d2254

SHA512
a9dc44d8bb1b7cf2bb4cfe7e4e98dfa7c7e432f94157a879e4bc7a185160197f20fb50f98ae60b5c899e65383565adc17c55b06dc876ab2789af4dceedb04163

Download Submit