d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f

Analysis

max time kernel
136s
max time network
135s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe
Size

2.7MB
MD5

fb42083b7f6194e7fef587db06b78ace
SHA1

1c6dd7f0ece5fc0e040f5475b1b921efd553672b
SHA256

d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f
SHA512

ec01fb96a07af02a3173e591b27f372560fc8274759efc6687a3e1e850156b49279340fab2c33bcb5935d8c379cc43195f98a864172509030a3da70d281168ab
SSDEEP

49152:pZxIvhmY1psJi+llhjJYpsGXCasY6DwOBfrnvV7UeWtE0NCCV/:pUvhd1psJi+FjOZGYiwOBpIeWf8CN

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1624	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe
1624	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1624	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1624	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1624	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe
1624	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1624	1716	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe	28
PID 1716 wrote to memory of 1624	1716	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe	28
PID 1716 wrote to memory of 1624	1716	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe	28
PID 1716 wrote to memory of 1624	1716	d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe	28

C:\Users\Admin\AppData\Local\Temp\d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe
"C:\Users\Admin\AppData\Local\Temp\d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\sbnwect2.yar\d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnwect2.yar\d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sbnwect2.yar\d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Filesize
2.5MB

MD5
edce90c693d8968d8190a4e4ed6695a1

SHA1
4d350ed428cd292ff8f1ecca211afbdb1133e176

SHA256
f1bd69ac9f2870d6533299526f7454fb33ad0e12de2dc099638016bde489c8cd

SHA512
f1182c8208dfd96500b089dfc19ceb207ba8a89292303dd280e3648087e95bff010cc749c5d3f1441543be7850cc17e8d0ba4f0c71c830f61a3cf5bf27ed0fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnwect2.yar\d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Filesize
2.5MB

MD5
edce90c693d8968d8190a4e4ed6695a1

SHA1
4d350ed428cd292ff8f1ecca211afbdb1133e176

SHA256
f1bd69ac9f2870d6533299526f7454fb33ad0e12de2dc099638016bde489c8cd

SHA512
f1182c8208dfd96500b089dfc19ceb207ba8a89292303dd280e3648087e95bff010cc749c5d3f1441543be7850cc17e8d0ba4f0c71c830f61a3cf5bf27ed0fa0

Download Submit
\Users\Admin\AppData\Local\Temp\sbnwect2.yar\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
\Users\Admin\AppData\Local\Temp\sbnwect2.yar\d295fdcd5708a68f5f7a3ab39ec81b1d501a2ce51f5bef8b1253735db735487f.exe

Filesize
2.5MB

MD5
edce90c693d8968d8190a4e4ed6695a1

SHA1
4d350ed428cd292ff8f1ecca211afbdb1133e176

SHA256
f1bd69ac9f2870d6533299526f7454fb33ad0e12de2dc099638016bde489c8cd

SHA512
f1182c8208dfd96500b089dfc19ceb207ba8a89292303dd280e3648087e95bff010cc749c5d3f1441543be7850cc17e8d0ba4f0c71c830f61a3cf5bf27ed0fa0

Download Submit
memory/1624-80-0x00000000754A0000-0x00000000754D5000-memory.dmp

Filesize
212KB

Download
memory/1624-85-0x0000000075A00000-0x0000000075A8F000-memory.dmp

Filesize
572KB

Download
memory/1624-61-0x0000000074920000-0x000000007496A000-memory.dmp

Filesize
296KB

Download
memory/1624-62-0x00000000009D0000-0x0000000000AC0000-memory.dmp

Filesize
960KB

Download
memory/1624-106-0x0000000002BCA000-0x0000000002BDB000-memory.dmp

Filesize
68KB

Download
memory/1624-64-0x00000000009D0000-0x0000000000AC0000-memory.dmp

Filesize
960KB

Download
memory/1624-67-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1624-69-0x00000000009D0000-0x0000000000AC0000-memory.dmp

Filesize
960KB

Download
memory/1624-105-0x0000000002BCA000-0x0000000002BDB000-memory.dmp

Filesize
68KB

Download
memory/1624-68-0x0000000075040000-0x00000000750EC000-memory.dmp

Filesize
688KB

Download
memory/1624-70-0x00000000754E0000-0x0000000075527000-memory.dmp

Filesize
284KB

Download
memory/1624-71-0x0000000075C90000-0x0000000075CE7000-memory.dmp

Filesize
348KB

Download
memory/1624-72-0x0000000074880000-0x0000000074889000-memory.dmp

Filesize
36KB

Download
memory/1624-73-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-74-0x00000000760C0000-0x0000000076D0A000-memory.dmp

Filesize
12.3MB

Download
memory/1624-77-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-76-0x0000000074E30000-0x0000000074F8C000-memory.dmp

Filesize
1.4MB

Download
memory/1624-104-0x0000000071BE0000-0x0000000071BF3000-memory.dmp

Filesize
76KB

Download
memory/1624-103-0x0000000071C10000-0x0000000071C6F000-memory.dmp

Filesize
380KB

Download
memory/1624-81-0x0000000074D10000-0x0000000074E2D000-memory.dmp

Filesize
1.1MB

Download
memory/1624-82-0x0000000064E70000-0x0000000065142000-memory.dmp

Filesize
2.8MB

Download
memory/1624-79-0x0000000060340000-0x0000000060348000-memory.dmp

Filesize
32KB

Download
memory/1624-86-0x0000000073580000-0x0000000073597000-memory.dmp

Filesize
92KB

Download
memory/1624-87-0x0000000073560000-0x0000000073575000-memory.dmp

Filesize
84KB

Download
memory/1624-88-0x0000000072A70000-0x0000000072AC2000-memory.dmp

Filesize
328KB

Download
memory/1624-89-0x0000000073550000-0x000000007355D000-memory.dmp

Filesize
52KB

Download
memory/1624-90-0x0000000075BE0000-0x0000000075BF9000-memory.dmp

Filesize
100KB

Download
memory/1624-91-0x0000000071E70000-0x0000000071EBF000-memory.dmp

Filesize
316KB

Download
memory/1624-92-0x0000000071EC0000-0x0000000071F18000-memory.dmp

Filesize
352KB

Download
memory/1624-93-0x0000000071E50000-0x0000000071E6C000-memory.dmp

Filesize
112KB

Download
memory/1624-94-0x0000000000220000-0x000000000025D000-memory.dmp

Filesize
244KB

Download
memory/1624-95-0x00000000009D0000-0x0000000000AC0000-memory.dmp

Filesize
960KB

Download
memory/1624-96-0x00000000754E0000-0x0000000075527000-memory.dmp

Filesize
284KB

Download
memory/1624-97-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-98-0x0000000060340000-0x0000000060348000-memory.dmp

Filesize
32KB

Download
memory/1624-99-0x0000000074B20000-0x0000000074B2C000-memory.dmp

Filesize
48KB

Download
memory/1624-101-0x00000000759D0000-0x00000000759F7000-memory.dmp

Filesize
156KB

Download
memory/1624-102-0x0000000071C80000-0x0000000071E10000-memory.dmp

Filesize
1.6MB

Download
memory/1716-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1716-55-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-65-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-63-0x0000000004680000-0x0000000004770000-memory.dmp

Filesize
960KB

Download