5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96

Analysis

max time kernel
4s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe
Size

886KB
MD5

022cbfda2606ec68a43e7bc3118cd8b0
SHA1

a620a950895eb50de56443258fc9efcce9f6c7c4
SHA256

5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96
SHA512

d262247ec50dbb6cc0a8cc990f52b7e5133368cca948f7bdcfcc7661a644a34949d017a687d25486696bb30645fedad6513ee214936d9a2696858ac56a372542
SSDEEP

3072:eaW0/+X1+W7pRJNOEuakd1noAeq6q2OhmbzeuTV:c0/+lirH2Ohmbd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
856	ultranet.exe
616	Instalar.exe

Loads dropped DLL 6 IoCs

pid	Process
1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe
1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe
1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe
616	Instalar.exe
616	Instalar.exe
616	Instalar.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\descompresorbatch.bat	ultranet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe
856	ultranet.exe
616	Instalar.exe
616	Instalar.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 856	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	28
PID 1380 wrote to memory of 856	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	28
PID 1380 wrote to memory of 856	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	28
PID 1380 wrote to memory of 856	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	28
PID 1380 wrote to memory of 616	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	29
PID 1380 wrote to memory of 616	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	29
PID 1380 wrote to memory of 616	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	29
PID 1380 wrote to memory of 616	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	29
PID 1380 wrote to memory of 616	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	29
PID 1380 wrote to memory of 616	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	29
PID 1380 wrote to memory of 616	1380	5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe	29
PID 856 wrote to memory of 520	856	ultranet.exe	30
PID 856 wrote to memory of 520	856	ultranet.exe	30
PID 856 wrote to memory of 520	856	ultranet.exe	30
PID 856 wrote to memory of 520	856	ultranet.exe	30

C:\Users\Admin\AppData\Local\Temp\5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe
"C:\Users\Admin\AppData\Local\Temp\5243175a1392f944418fe829ab677d700cd29322efa9fe50f8f93bda2b0e6c96.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\ultranet.exe
  "C:\Users\Admin\AppData\Local\Temp\ultranet.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\descompresorbatch.bat
    3⤵
    PID:520
- C:\Users\Admin\AppData\Local\Temp\Instalar.exe
  "C:\Users\Admin\AppData\Local\Temp\Instalar.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Instalar.exe

Filesize
852KB

MD5
f06d39947b14d2ed2bfb759acc2c70ec

SHA1
5daf98656245d4a173be75e78c895561a3980e5b

SHA256
5d68d3d8d40d04b0e5a6111386b6184c1aa01ba407dd6e74b6afd5eefa37f69a

SHA512
a7e8ccd58ee27a1d041f46aeadca4374d57821dc5abe9bd11f47744af4c0a6a21235e7e6123afa6d35903608ce918059af4ea907083fad8cc8554af52602be0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Instalar.exe

Filesize
852KB

MD5
f06d39947b14d2ed2bfb759acc2c70ec

SHA1
5daf98656245d4a173be75e78c895561a3980e5b

SHA256
5d68d3d8d40d04b0e5a6111386b6184c1aa01ba407dd6e74b6afd5eefa37f69a

SHA512
a7e8ccd58ee27a1d041f46aeadca4374d57821dc5abe9bd11f47744af4c0a6a21235e7e6123afa6d35903608ce918059af4ea907083fad8cc8554af52602be0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultranet.exe

Filesize
22KB

MD5
2ec80f1530686f6d34e1d98a9d239879

SHA1
92bd73f95f2a258dd444f0d7fc33d6aba85eb253

SHA256
3415e33ad1362c633d7916fb61930cbfc7899745a42f8854971ac891bacc8700

SHA512
3e04278a9f7ba1c86eb8dc5106f58aa25c944413025dc35f00b4525beccbc6dc9a57e74233a625b289bdc13b25333542982c6bc96962d45673f79bb2d35f5a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultranet.exe

Filesize
22KB

MD5
2ec80f1530686f6d34e1d98a9d239879

SHA1
92bd73f95f2a258dd444f0d7fc33d6aba85eb253

SHA256
3415e33ad1362c633d7916fb61930cbfc7899745a42f8854971ac891bacc8700

SHA512
3e04278a9f7ba1c86eb8dc5106f58aa25c944413025dc35f00b4525beccbc6dc9a57e74233a625b289bdc13b25333542982c6bc96962d45673f79bb2d35f5a17

Download Submit
\??\c:\windows\descompresorbatch.bat

Filesize
55B

MD5
81785957ec52b4b6196570e14b410c1e

SHA1
4ca83cccd4c7059087869c53fe828cfaa14df4c4

SHA256
57f13a3951783b412c0aecb69308e537328497a6153700ae8c25ba74731b7b1a

SHA512
59c19f685342d8b27a7542bd97d08b1593d2fab24423c3cbff539022bc9475ed4e15561c4ad55e8ac98d2d23f24a15d9631b9cedf8f7dd8dc076789ce7442026

Download Submit
\Users\Admin\AppData\Local\Temp\Instalar.exe

Filesize
852KB

MD5
f06d39947b14d2ed2bfb759acc2c70ec

SHA1
5daf98656245d4a173be75e78c895561a3980e5b

SHA256
5d68d3d8d40d04b0e5a6111386b6184c1aa01ba407dd6e74b6afd5eefa37f69a

SHA512
a7e8ccd58ee27a1d041f46aeadca4374d57821dc5abe9bd11f47744af4c0a6a21235e7e6123afa6d35903608ce918059af4ea907083fad8cc8554af52602be0b

Download Submit
\Users\Admin\AppData\Local\Temp\Instalar.exe

Filesize
852KB

MD5
f06d39947b14d2ed2bfb759acc2c70ec

SHA1
5daf98656245d4a173be75e78c895561a3980e5b

SHA256
5d68d3d8d40d04b0e5a6111386b6184c1aa01ba407dd6e74b6afd5eefa37f69a

SHA512
a7e8ccd58ee27a1d041f46aeadca4374d57821dc5abe9bd11f47744af4c0a6a21235e7e6123afa6d35903608ce918059af4ea907083fad8cc8554af52602be0b

Download Submit
\Users\Admin\AppData\Local\Temp\Instalar.exe

Filesize
852KB

MD5
f06d39947b14d2ed2bfb759acc2c70ec

SHA1
5daf98656245d4a173be75e78c895561a3980e5b

SHA256
5d68d3d8d40d04b0e5a6111386b6184c1aa01ba407dd6e74b6afd5eefa37f69a

SHA512
a7e8ccd58ee27a1d041f46aeadca4374d57821dc5abe9bd11f47744af4c0a6a21235e7e6123afa6d35903608ce918059af4ea907083fad8cc8554af52602be0b

Download Submit
\Users\Admin\AppData\Local\Temp\Instalar.exe

Filesize
852KB

MD5
f06d39947b14d2ed2bfb759acc2c70ec

SHA1
5daf98656245d4a173be75e78c895561a3980e5b

SHA256
5d68d3d8d40d04b0e5a6111386b6184c1aa01ba407dd6e74b6afd5eefa37f69a

SHA512
a7e8ccd58ee27a1d041f46aeadca4374d57821dc5abe9bd11f47744af4c0a6a21235e7e6123afa6d35903608ce918059af4ea907083fad8cc8554af52602be0b

Download Submit
\Users\Admin\AppData\Local\Temp\ultranet.exe

Filesize
22KB

MD5
2ec80f1530686f6d34e1d98a9d239879

SHA1
92bd73f95f2a258dd444f0d7fc33d6aba85eb253

SHA256
3415e33ad1362c633d7916fb61930cbfc7899745a42f8854971ac891bacc8700

SHA512
3e04278a9f7ba1c86eb8dc5106f58aa25c944413025dc35f00b4525beccbc6dc9a57e74233a625b289bdc13b25333542982c6bc96962d45673f79bb2d35f5a17

Download Submit
\Users\Admin\AppData\Local\Temp\ultranet.exe

Filesize
22KB

MD5
2ec80f1530686f6d34e1d98a9d239879

SHA1
92bd73f95f2a258dd444f0d7fc33d6aba85eb253

SHA256
3415e33ad1362c633d7916fb61930cbfc7899745a42f8854971ac891bacc8700

SHA512
3e04278a9f7ba1c86eb8dc5106f58aa25c944413025dc35f00b4525beccbc6dc9a57e74233a625b289bdc13b25333542982c6bc96962d45673f79bb2d35f5a17

Download Submit
memory/1380-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download