a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe
Size

202KB
MD5

e59ec66feda740973c7ab1fb8c6a2e81
SHA1

235a9d656647910648e134ef42e3cc36dd62a687
SHA256

a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca
SHA512

c2a5a4be9994a5239d57b8db16b97a484bd4fcf21f36ddafda7611e2aebad81d6cd5a44f55ac151c85f72eb63ab7e11bed5c894d34424c5cbc7f9085d025bb47
SSDEEP

3072:Pm3xAixt4HsHV9akIRZt6XL6TPixomP0yd+kBOPvIedIdutqqJPOI88vKiW+Ecwn:Pm3+m4qV2Kp0y5wPwEIQtqqtOIJX8es3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
596	inlFE7E.tmp
1028	lieB3D8.tmp

Deletes itself 1 IoCs

pid	Process
1064	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1772	cmd.exe
1772	cmd.exe
316	cmd.exe
316	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbem\fxsst.dll	inlFE7E.tmp
File created	C:\Windows\SysWOW64\wbem\FXSAPI.dll	inlFE7E.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LiveMeeting\rarExts32.dat	inlFE7E.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1916	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
596	inlFE7E.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1772	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	27
PID 1348 wrote to memory of 1772	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	27
PID 1348 wrote to memory of 1772	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	27
PID 1348 wrote to memory of 1772	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	27
PID 1348 wrote to memory of 1968	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	29
PID 1348 wrote to memory of 1968	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	29
PID 1348 wrote to memory of 1968	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	29
PID 1348 wrote to memory of 1968	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	29
PID 1348 wrote to memory of 1064	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	31
PID 1348 wrote to memory of 1064	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	31
PID 1348 wrote to memory of 1064	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	31
PID 1348 wrote to memory of 1064	1348	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	31
PID 1968 wrote to memory of 544	1968	cmd.exe	33
PID 1968 wrote to memory of 544	1968	cmd.exe	33
PID 1968 wrote to memory of 544	1968	cmd.exe	33
PID 1968 wrote to memory of 544	1968	cmd.exe	33
PID 1772 wrote to memory of 596	1772	cmd.exe	34
PID 1772 wrote to memory of 596	1772	cmd.exe	34
PID 1772 wrote to memory of 596	1772	cmd.exe	34
PID 1772 wrote to memory of 596	1772	cmd.exe	34
PID 596 wrote to memory of 316	596	inlFE7E.tmp	37
PID 596 wrote to memory of 316	596	inlFE7E.tmp	37
PID 596 wrote to memory of 316	596	inlFE7E.tmp	37
PID 596 wrote to memory of 316	596	inlFE7E.tmp	37
PID 316 wrote to memory of 1028	316	cmd.exe	39
PID 316 wrote to memory of 1028	316	cmd.exe	39
PID 316 wrote to memory of 1028	316	cmd.exe	39
PID 316 wrote to memory of 1028	316	cmd.exe	39
PID 1028 wrote to memory of 1940	1028	lieB3D8.tmp	41
PID 1028 wrote to memory of 1940	1028	lieB3D8.tmp	41
PID 1028 wrote to memory of 1940	1028	lieB3D8.tmp	41
PID 1028 wrote to memory of 1940	1028	lieB3D8.tmp	41
PID 1940 wrote to memory of 1916	1940	cmd.exe	42
PID 1940 wrote to memory of 1916	1940	cmd.exe	42
PID 1940 wrote to memory of 1916	1940	cmd.exe	42
PID 1940 wrote to memory of 1916	1940	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe
"C:\Users\Admin\AppData\Local\Temp\a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\inlFE7E.tmp
    C:\Users\Admin\AppData\Local\Temp\inlFE7E.tmp amd-k5p4g.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Users\Admin\AppData\Local\Temp\lieB3D8.tmp
        
        C:\Users\Admin\AppData\Local\Temp\lieB3D8.tmp
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 88.99.00.00
        7⤵
        Runs ping.exe
        
        PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A0A633~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amd-k5p4g.tmp

Filesize
763B

MD5
3e0894dbd05b27b148df2737884ea8e8

SHA1
91b50baad5dec9d14febf96722e28409346b5115

SHA256
65d08113cb9920fcf07aef4073d2d60f0deea7fdacb64b205217b46d69ff27ec

SHA512
5cb5015356acde2b538268d6997dccfe9d4be5454713df0351b69e38c524df48288e45a766d106901615f2ffba3e1036870e66e0fd0fa91ae851fd19501562e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlFE7E.tmp

Filesize
163.7MB

MD5
6475b083a05f44f647cfaf1c392c59d4

SHA1
15bba6c9f332b2f204bb8a30d06b048fa63abe7e

SHA256
40385a03a8884c7dbf333366328e44c6f6c09f270e84c43867abcc1ecbeec8fa

SHA512
1f577235ce28529b49838cefdf33bb82d7dc589b28e23f7bfa8ea701549a8982da8de276847b53088a862c153eb2eb3a91b835a157b22fa19c1b62c9a5919cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlFE7E.tmp

Filesize
163.7MB

MD5
6475b083a05f44f647cfaf1c392c59d4

SHA1
15bba6c9f332b2f204bb8a30d06b048fa63abe7e

SHA256
40385a03a8884c7dbf333366328e44c6f6c09f270e84c43867abcc1ecbeec8fa

SHA512
1f577235ce28529b49838cefdf33bb82d7dc589b28e23f7bfa8ea701549a8982da8de276847b53088a862c153eb2eb3a91b835a157b22fa19c1b62c9a5919cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lieB3D8.tmp

Filesize
74.2MB

MD5
32f3728b7275073259a06c77deb4bcdf

SHA1
48c52d0c6b5d5543df15ba94101df7a2a24d49c4

SHA256
dc00dedddba4fcd436f90f0e1f557a55cc208aa9c1438e7dc98eb48056154774

SHA512
8dcf1eb76611f6dfd7c16b1da6fb8ebc90207fa0c6ae14d352fe4dda56bea0df9e8ed120344f85ce5688f88f0fdee287f5e5a90a9ec87ae0f31be88ca0d3e293

Download Submit
C:\Users\Admin\AppData\Local\Temp\lieB3D8.tmp

Filesize
68.8MB

MD5
90edada635ea4e9e627fb896100bf351

SHA1
9ddb22bf07eb595c6b07db534ac5789c19f56cfa

SHA256
b029b6ab208af71a5c52187f19f00cd9daa08601ff2af264976971a9d1e01b7f

SHA512
2ac241fa71f7670080aeff6b509f4cda74aab790a25867ad0240826b79aad4095aa8263e9f93d96d3376b176568416db77e0dac43d06af2f51f9c88c4bc7cc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
59B

MD5
183d0eb7eecdd78b08b22dafd73f3b5d

SHA1
71666b41c1eaafa4b5adb148493ca9590bfd8d41

SHA256
80d0ebaf07d467415a0a451ae6abff4b76287ce72ee6825220f08fc6c7e89959

SHA512
c3d52b56f6c6b7f5a6fccb365da3675cfd523077eeba1cabcd37fda59bad39014faee98b748bfcfb477f02a15291d0aed1768a15712bb0115f860481e085067a

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat

Filesize
45B

MD5
15cc87266336f134c4816e902ddcb866

SHA1
a383e17e033812b722d41a138b2f1318dfaac9df

SHA256
6005c15026a73097350f1a52c197e1a6de6eccc82ef55e5b701c673f70f90a8d

SHA512
ea6ebc467f8789c4ba6bcb14c61fd01a1a0e8e95ec2dbf902b3201f42a02007c64a57c9144ea6191a6c18e56127b8bca8a6ff249b4042963e7913af26fe12f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat

Filesize
70B

MD5
edea5cd5060d69b6c558fea75e330a67

SHA1
929e7c5ca8c300a98ac6833d0e8fa912ca9fa5dd

SHA256
1ed1bc8bfd84479497b2c1e3d0ca1df56eb2f3d82a68862e8b50eead06889b39

SHA512
adbe14c811b915972709530049bb6934eacead6c5d19243ecea07abdd6c93aeede3fcae99f6419fb7ca1b2394dcef19e642be36f22c572de01b069dac2b4aa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
\Users\Admin\AppData\Local\Temp\inlFE7E.tmp

Filesize
163.7MB

MD5
6475b083a05f44f647cfaf1c392c59d4

SHA1
15bba6c9f332b2f204bb8a30d06b048fa63abe7e

SHA256
40385a03a8884c7dbf333366328e44c6f6c09f270e84c43867abcc1ecbeec8fa

SHA512
1f577235ce28529b49838cefdf33bb82d7dc589b28e23f7bfa8ea701549a8982da8de276847b53088a862c153eb2eb3a91b835a157b22fa19c1b62c9a5919cdc

Download Submit
\Users\Admin\AppData\Local\Temp\inlFE7E.tmp

Filesize
163.7MB

MD5
6475b083a05f44f647cfaf1c392c59d4

SHA1
15bba6c9f332b2f204bb8a30d06b048fa63abe7e

SHA256
40385a03a8884c7dbf333366328e44c6f6c09f270e84c43867abcc1ecbeec8fa

SHA512
1f577235ce28529b49838cefdf33bb82d7dc589b28e23f7bfa8ea701549a8982da8de276847b53088a862c153eb2eb3a91b835a157b22fa19c1b62c9a5919cdc

Download Submit
\Users\Admin\AppData\Local\Temp\lieB3D8.tmp

Filesize
71.9MB

MD5
de2feb7b5ef892b9e7f9fcf51900a241

SHA1
56bf7d83e742ee033ebc07e469740e599bbf27a9

SHA256
c516b023b4b4aeabc223ac3997f1d58366308eab352ede300d015ea383fb3a0b

SHA512
6ced0456f2941ca334aa34ee4e05d92e831df1a73c532bfc431581e6613ab77d5e6b4ba3f5cfc08558e39ad229a149ceb6ccc19ebf25c8cd6db90246ddce674a

Download Submit
\Users\Admin\AppData\Local\Temp\lieB3D8.tmp

Filesize
65.1MB

MD5
40b3cdecc7e0f9cdc8e2012a14cbbaeb

SHA1
c031f7ea0575a39e4556e56eeabf392da250525e

SHA256
f007d8b405d1e0b839ac654f6337fc1f91c5e0f639d53b44fe3ed8f4b0349ea7

SHA512
7e17952c2908afb886ec6cc76c73ee7ed57fc10c5444feb69e3bd10cb4e48468b40b9a285ef7c16745b256739a045e205f7acb071280777480524c61a97cf5f6

Download Submit
memory/596-74-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/596-73-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1348-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1348-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1772-71-0x0000000001FA0000-0x0000000001FF0000-memory.dmp

Filesize
320KB

Download
memory/1772-69-0x0000000001FA0000-0x0000000001FF0000-memory.dmp

Filesize
320KB

Download