bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c

Analysis

max time kernel
38s
max time network
83s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe
Size

27KB
MD5

e8e824a44e1500700f22fd3b45a03a56
SHA1

c6b5aa6afa4683b4061ea82c934b1c14ae00267b
SHA256

bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c
SHA512

6dd55bce6ebb2b86103c8ac167ddedeefb73c81f6935ccff0cb837849e7fd29f13049b4f299fc29eaabaabe1be4205e871d6ebae0eacc23909560f6136d460fb
SSDEEP

384:2nEbDbWx5+yhXAwk4jEEsc0PyrcKzFziZGYPViYtI5bjH:dXbleDv0c0qrcKF0viFFH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1836	ssvchost.exe

Loads dropped DLL 2 IoCs

pid	Process
932	bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe
932	bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host Manager = "C:\\Users\\Admin\\ssvchost.exe"	bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1836	932	bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe	30
PID 932 wrote to memory of 1836	932	bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe	30
PID 932 wrote to memory of 1836	932	bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe	30
PID 932 wrote to memory of 1836	932	bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe	30

C:\Users\Admin\AppData\Local\Temp\bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe
"C:\Users\Admin\AppData\Local\Temp\bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\ssvchost.exe
  "C:\Users\Admin\ssvchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PULJ7CSW\logo[1].gif

Filesize
8KB

MD5
e80d1c59a673f560785784fb1ac10959

SHA1
fd852df5478eb7eb9410ee9101bb364adf487fb0

SHA256
b89fe394c4ed380e4a4fac663ac6193dc04219464054bad9033765fc6a1e0311

SHA512
78b3294445a4d0f1153bcd29b6f5172fedc267e69465b3e516298dadff9e6df917f440fc701d0a2fbc22920bfb5a2272d92ba700e7bb14c40f42d0c288ff4417

Download Submit
C:\Users\Admin\ssvchost.exe

Filesize
27KB

MD5
e8e824a44e1500700f22fd3b45a03a56

SHA1
c6b5aa6afa4683b4061ea82c934b1c14ae00267b

SHA256
bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c

SHA512
6dd55bce6ebb2b86103c8ac167ddedeefb73c81f6935ccff0cb837849e7fd29f13049b4f299fc29eaabaabe1be4205e871d6ebae0eacc23909560f6136d460fb

Download Submit
\??\c:\logo.gif

Filesize
8KB

MD5
e80d1c59a673f560785784fb1ac10959

SHA1
fd852df5478eb7eb9410ee9101bb364adf487fb0

SHA256
b89fe394c4ed380e4a4fac663ac6193dc04219464054bad9033765fc6a1e0311

SHA512
78b3294445a4d0f1153bcd29b6f5172fedc267e69465b3e516298dadff9e6df917f440fc701d0a2fbc22920bfb5a2272d92ba700e7bb14c40f42d0c288ff4417

Download Submit
\Users\Admin\ssvchost.exe

Filesize
27KB

MD5
e8e824a44e1500700f22fd3b45a03a56

SHA1
c6b5aa6afa4683b4061ea82c934b1c14ae00267b

SHA256
bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c

SHA512
6dd55bce6ebb2b86103c8ac167ddedeefb73c81f6935ccff0cb837849e7fd29f13049b4f299fc29eaabaabe1be4205e871d6ebae0eacc23909560f6136d460fb

Download Submit
\Users\Admin\ssvchost.exe

Filesize
27KB

MD5
e8e824a44e1500700f22fd3b45a03a56

SHA1
c6b5aa6afa4683b4061ea82c934b1c14ae00267b

SHA256
bd1a450ee4b738b52b8f78be11713f902eacbd3af639dcf131c5d81251f5485c

SHA512
6dd55bce6ebb2b86103c8ac167ddedeefb73c81f6935ccff0cb837849e7fd29f13049b4f299fc29eaabaabe1be4205e871d6ebae0eacc23909560f6136d460fb

Download Submit
memory/932-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download