57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d

Analysis

max time kernel
8s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 13:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe
Size

646KB
MD5

841adb8cf1330ca95d3c0e5881d9628e
SHA1

fce648dd0cd3c82c6317c3a3b3d4e429ee0d051f
SHA256

57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d
SHA512

65fd477acac6480dffa4f6e79e6adc837c986da04fbbe62066bff9b3abf876bc865079121ff1cf7e2470c9a7a5dc1d1178374131fad9ae8491b32cf007cfe164
SSDEEP

12288:7wS9PwuuTA4KZoCiaVjPOfQW8GLXYA4rPqpx9qCW+6rLtZNRlB5/gLXi7d:7wSETA4ertCfQW8GLXYA4Wcz+6rhoLm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1652	57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe
1652	57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1652	57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe
1652	57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe
1652	57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe

C:\Users\Admin\AppData\Local\Temp\57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe
"C:\Users\Admin\AppData\Local\Temp\57b397fa4cd2b31b30edbb4f0eea645c05f58a3b76cfef7aa06c913a1a29343d.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd83B2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd83B2.tmp\v1076312.dll

Filesize
807KB

MD5
d242cc4f981ca8a8b49ec1487e23ac5d

SHA1
aa76095ae89dd82098098e231a63505a771959c5

SHA256
ffd64ef8246fa371f3f2084fe5743aea278d6ecb7a7f537717b02f0ad9e1817f

SHA512
940570b07a5943e5cc96eec15f122ed832096fafc7ffffbad868d01607f328a87b7e0ffc7e95746413444327a32c1d49a4cf016991eb7614ef036054f7a75888

Download Submit
memory/1652-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download