d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6

Analysis

max time kernel
31s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe
Size

41KB
MD5

66605b3fdea1cf76273996d6c7b9c995
SHA1

b5deae1f73e1048792797e76671766225e54b456
SHA256

d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6
SHA512

ab00f00b58f56c80996c972cec4a1391f12af6e4649e71204a532ce14f8e13a65c0f8f61bf8537783c8ce78efd576f4bb1ba2485488d590d6694ca0112f01bbf
SSDEEP

768:QGBar1ZIZYnfI9opm6AIHIjaI7g9mVmUndoNE/W5dRV8:fW1ZIZqI9opm6AIHIjzmU2Nzd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
980	sxhost.exe

Deletes itself 1 IoCs

pid	Process
1756	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe
1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 980	1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe	28
PID 1364 wrote to memory of 980	1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe	28
PID 1364 wrote to memory of 980	1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe	28
PID 1364 wrote to memory of 980	1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe	28
PID 1364 wrote to memory of 1756	1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe	29
PID 1364 wrote to memory of 1756	1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe	29
PID 1364 wrote to memory of 1756	1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe	29
PID 1364 wrote to memory of 1756	1364	d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe	29
PID 980 wrote to memory of 1652	980	sxhost.exe	33
PID 980 wrote to memory of 1652	980	sxhost.exe	33
PID 980 wrote to memory of 1652	980	sxhost.exe	33
PID 980 wrote to memory of 1652	980	sxhost.exe	33

C:\Users\Admin\AppData\Local\Temp\d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe
"C:\Users\Admin\AppData\Local\Temp\d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\sxhost.exe
  "C:\Users\Admin\sxhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\sxhost.exe >> NUL
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D7B7D5~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sxhost.exe

Filesize
41KB

MD5
66605b3fdea1cf76273996d6c7b9c995

SHA1
b5deae1f73e1048792797e76671766225e54b456

SHA256
d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6

SHA512
ab00f00b58f56c80996c972cec4a1391f12af6e4649e71204a532ce14f8e13a65c0f8f61bf8537783c8ce78efd576f4bb1ba2485488d590d6694ca0112f01bbf

Download Submit
C:\Users\Admin\sxhost.exe

Filesize
41KB

MD5
66605b3fdea1cf76273996d6c7b9c995

SHA1
b5deae1f73e1048792797e76671766225e54b456

SHA256
d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6

SHA512
ab00f00b58f56c80996c972cec4a1391f12af6e4649e71204a532ce14f8e13a65c0f8f61bf8537783c8ce78efd576f4bb1ba2485488d590d6694ca0112f01bbf

Download Submit
\Users\Admin\sxhost.exe

Filesize
41KB

MD5
66605b3fdea1cf76273996d6c7b9c995

SHA1
b5deae1f73e1048792797e76671766225e54b456

SHA256
d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6

SHA512
ab00f00b58f56c80996c972cec4a1391f12af6e4649e71204a532ce14f8e13a65c0f8f61bf8537783c8ce78efd576f4bb1ba2485488d590d6694ca0112f01bbf

Download Submit
\Users\Admin\sxhost.exe

Filesize
41KB

MD5
66605b3fdea1cf76273996d6c7b9c995

SHA1
b5deae1f73e1048792797e76671766225e54b456

SHA256
d7b7d5be360f9e2df7a336e6ee03bbd9be1592ea473561ee20b7c609333255e6

SHA512
ab00f00b58f56c80996c972cec4a1391f12af6e4649e71204a532ce14f8e13a65c0f8f61bf8537783c8ce78efd576f4bb1ba2485488d590d6694ca0112f01bbf

Download Submit
memory/1364-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download