Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 18:57

General

  • Target

    61ed6a1b4f40b31bc00d66d145b3a19f883d6f1a8e3dffc6ea6394e783af6024.exe

  • Size

    332KB

  • MD5

    1c087e4778199ab95e4f7c0ceff40f0e

  • SHA1

    f8766e9df570a3a641c52ec98d2c0b5c87e5f969

  • SHA256

    61ed6a1b4f40b31bc00d66d145b3a19f883d6f1a8e3dffc6ea6394e783af6024

  • SHA512

    d6a0785a6e121c977ba6188d2b8d434424afddb9f30295825c1d9077cf2eb480d48a48d2ffcefc7a944ca21915edf1b9fa4dbf9b4e417e53501fe0bf2c2d8c2e

  • SSDEEP

    3072:Vq9jSeaNxBuD7mEVSuekhGkYrQRVZq3eFo4ejLnlQISQLpyhZu6qyKtrlbHrs2OI:R5NxO2WGk1Y3nmQcuyKdFrs2OXuHNz

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61ed6a1b4f40b31bc00d66d145b3a19f883d6f1a8e3dffc6ea6394e783af6024.exe
    "C:\Users\Admin\AppData\Local\Temp\61ed6a1b4f40b31bc00d66d145b3a19f883d6f1a8e3dffc6ea6394e783af6024.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\diaeduq.exe
      "C:\Users\Admin\diaeduq.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\diaeduq.exe

    Filesize

    332KB

    MD5

    c269be41e54e58bbed8d1bc2730ad2b7

    SHA1

    4e8c3c17fcd653b8433846e986a3e7de8d5deff0

    SHA256

    bb7710d325d2599ce01dda5ab7988264027b4942520120535818d16fb3cea630

    SHA512

    db94c8588084c25bc7cf07612faa6db7d7a61d5cb448faa3d13a9e0a23a92bff6c91f4d31942d2ac853e9cdfa8da499bf579c9451842770d3c0818d491cd46bc

  • C:\Users\Admin\diaeduq.exe

    Filesize

    332KB

    MD5

    c269be41e54e58bbed8d1bc2730ad2b7

    SHA1

    4e8c3c17fcd653b8433846e986a3e7de8d5deff0

    SHA256

    bb7710d325d2599ce01dda5ab7988264027b4942520120535818d16fb3cea630

    SHA512

    db94c8588084c25bc7cf07612faa6db7d7a61d5cb448faa3d13a9e0a23a92bff6c91f4d31942d2ac853e9cdfa8da499bf579c9451842770d3c0818d491cd46bc

  • \Users\Admin\diaeduq.exe

    Filesize

    332KB

    MD5

    c269be41e54e58bbed8d1bc2730ad2b7

    SHA1

    4e8c3c17fcd653b8433846e986a3e7de8d5deff0

    SHA256

    bb7710d325d2599ce01dda5ab7988264027b4942520120535818d16fb3cea630

    SHA512

    db94c8588084c25bc7cf07612faa6db7d7a61d5cb448faa3d13a9e0a23a92bff6c91f4d31942d2ac853e9cdfa8da499bf579c9451842770d3c0818d491cd46bc

  • \Users\Admin\diaeduq.exe

    Filesize

    332KB

    MD5

    c269be41e54e58bbed8d1bc2730ad2b7

    SHA1

    4e8c3c17fcd653b8433846e986a3e7de8d5deff0

    SHA256

    bb7710d325d2599ce01dda5ab7988264027b4942520120535818d16fb3cea630

    SHA512

    db94c8588084c25bc7cf07612faa6db7d7a61d5cb448faa3d13a9e0a23a92bff6c91f4d31942d2ac853e9cdfa8da499bf579c9451842770d3c0818d491cd46bc

  • memory/948-59-0x0000000000000000-mapping.dmp

  • memory/1932-56-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

    Filesize

    8KB