649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b

Analysis

max time kernel
152s
max time network
198s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe
Size

179KB
MD5

8155b71a2e4562b5e682d22f0010bd24
SHA1

6a9bc4ae28b678ec766ccc6e1e80bd8e0216f3f5
SHA256

649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b
SHA512

8966917fa4607935d370704ecab41461615239258419891ae70de086956f86fda693f9070e09da25cff110e51e75806ff92c943c914839f885fe168c4929a65a
SSDEEP

3072:X875giexVu7fhrnv6MJQPRu2uuQ6ET31Ap0A+GpMWLHJiFp3:slPex8VuMepBLRLpiz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1340	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe
1340	regsvr32.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1792	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 856	1792	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe	28
PID 1792 wrote to memory of 856	1792	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe	28
PID 1792 wrote to memory of 856	1792	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe	28
PID 1792 wrote to memory of 856	1792	649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe	28
PID 856 wrote to memory of 1340	856	cmd.exe	31
PID 856 wrote to memory of 1340	856	cmd.exe	31
PID 856 wrote to memory of 1340	856	cmd.exe	31
PID 856 wrote to memory of 1340	856	cmd.exe	31
PID 856 wrote to memory of 1340	856	cmd.exe	31
PID 856 wrote to memory of 1340	856	cmd.exe	31
PID 856 wrote to memory of 1340	856	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe
"C:\Users\Admin\AppData\Local\Temp\649816a62a2ff50cb68d0a9e5a228b3c2b5a02019e02d6239bc240467ed8c03b.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\regsvr32.exe /s "C:\ProgramData\2266\msseedir.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\ProgramData\2266\msseedir.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2266\msseedir.dll

Filesize
92KB

MD5
7cb12175da81309e26bb86cd25c49540

SHA1
86b7de2a4a84b82ef19e0626b34edda01e46c93d

SHA256
3c3c6e8eaccf40b723d6225fdfb58a29e42c8071406bf70ef427c59fae21ea85

SHA512
22172711f774a1163e6b25d6c229b925f87d088c0cb494b0c827bd4c6e0d153352048739a2254ce0ea364f45c74710da13a53fa256992feb1f31861bdc8d4631

Download Submit
\ProgramData\2266\msseedir.dll

Filesize
92KB

MD5
7cb12175da81309e26bb86cd25c49540

SHA1
86b7de2a4a84b82ef19e0626b34edda01e46c93d

SHA256
3c3c6e8eaccf40b723d6225fdfb58a29e42c8071406bf70ef427c59fae21ea85

SHA512
22172711f774a1163e6b25d6c229b925f87d088c0cb494b0c827bd4c6e0d153352048739a2254ce0ea364f45c74710da13a53fa256992feb1f31861bdc8d4631

Download Submit
memory/1340-72-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1340-71-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1340-70-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1340-69-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1792-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1792-63-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/1792-62-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1792-61-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/1792-60-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1792-59-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1792-54-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1792-57-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1792-56-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1792-55-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download