a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe
Size

316KB
MD5

750870a6876e868b8198ebedd1c468b6
SHA1

d4c07a4768c5975ca3a0d608d432c2102e600dad
SHA256

a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5
SHA512

33bf7d6a913ca125597e95d664cb0c15ed9f22f29af0f12600fe4b49504f89ece0f2ef1599789662c377babec6ce4d9602a39f178fb6d8e38b92789155b428c6
SSDEEP

6144:6tjFMvCNlfbJ+7Nj6Y9BEN92Nzukgm9t17GxQ2qMUYTmJ:6tG6N1bkJ6Ykb2x4+tZbb

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1168	faany.exe
1748	msn.exe

Loads dropped DLL 6 IoCs

pid	Process
1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe
1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe
1168	faany.exe
1168	faany.exe
1168	faany.exe
1748	msn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1748	msn.exe
1748	msn.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1168	1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe	27
PID 1600 wrote to memory of 1168	1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe	27
PID 1600 wrote to memory of 1168	1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe	27
PID 1600 wrote to memory of 1168	1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe	27
PID 1600 wrote to memory of 1168	1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe	27
PID 1600 wrote to memory of 1168	1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe	27
PID 1600 wrote to memory of 1168	1600	a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe	27
PID 1168 wrote to memory of 1748	1168	faany.exe	28
PID 1168 wrote to memory of 1748	1168	faany.exe	28
PID 1168 wrote to memory of 1748	1168	faany.exe	28
PID 1168 wrote to memory of 1748	1168	faany.exe	28
PID 1168 wrote to memory of 1748	1168	faany.exe	28
PID 1168 wrote to memory of 1748	1168	faany.exe	28
PID 1168 wrote to memory of 1748	1168	faany.exe	28
PID 1748 wrote to memory of 1208	1748	msn.exe	19
PID 1748 wrote to memory of 1208	1748	msn.exe	19
PID 1748 wrote to memory of 1208	1748	msn.exe	19
PID 1748 wrote to memory of 1208	1748	msn.exe	19

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe
  "C:\Users\Admin\AppData\Local\Temp\a470f516a2fed028246a1e0b22ce53911adcb0bcab2f4383a54621e5949c79f5.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\faany.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\faany.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\msn.exe
      "C:\Users\Admin\AppData\Local\Temp\msn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\faany.exe

Filesize
163KB

MD5
47f035a38f19aeb26f9e1ccd2049b5e3

SHA1
cadac5fac34e6f9e508f62c4b9615088c5e2ff4a

SHA256
65c3899662df344a80fc02c822a12b321d8918edf87262a0ea0ef23be2be74c3

SHA512
12f91b6dea11b5e3a1960fa226fcda2913bb2db632d23d1a80423c0be8aa42ab87fcf6951b77ab2402941e1cf00e6fc9f0e0ab8d3a7c6c2b9aba91ca00df2d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\faany.exe

Filesize
163KB

MD5
47f035a38f19aeb26f9e1ccd2049b5e3

SHA1
cadac5fac34e6f9e508f62c4b9615088c5e2ff4a

SHA256
65c3899662df344a80fc02c822a12b321d8918edf87262a0ea0ef23be2be74c3

SHA512
12f91b6dea11b5e3a1960fa226fcda2913bb2db632d23d1a80423c0be8aa42ab87fcf6951b77ab2402941e1cf00e6fc9f0e0ab8d3a7c6c2b9aba91ca00df2d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
161KB

MD5
124b190b15fb1152b80a7ea40eafac49

SHA1
310e49500836e8a4adaeefc234e38d18f0b9d8a1

SHA256
de2c1e61ee06efc568b49499b27a230222d3c4124c49aad97c55adb6423dba71

SHA512
0a06fd79d0ca5f00cc33e001d6032c857595b516deb8372e96f8709883cf330f285feecb1d3d09dff9eb30f5ba54ff790cc7592bfec74a5859bcbcda9f6842a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
161KB

MD5
124b190b15fb1152b80a7ea40eafac49

SHA1
310e49500836e8a4adaeefc234e38d18f0b9d8a1

SHA256
de2c1e61ee06efc568b49499b27a230222d3c4124c49aad97c55adb6423dba71

SHA512
0a06fd79d0ca5f00cc33e001d6032c857595b516deb8372e96f8709883cf330f285feecb1d3d09dff9eb30f5ba54ff790cc7592bfec74a5859bcbcda9f6842a8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\faany.exe

Filesize
163KB

MD5
47f035a38f19aeb26f9e1ccd2049b5e3

SHA1
cadac5fac34e6f9e508f62c4b9615088c5e2ff4a

SHA256
65c3899662df344a80fc02c822a12b321d8918edf87262a0ea0ef23be2be74c3

SHA512
12f91b6dea11b5e3a1960fa226fcda2913bb2db632d23d1a80423c0be8aa42ab87fcf6951b77ab2402941e1cf00e6fc9f0e0ab8d3a7c6c2b9aba91ca00df2d93

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\faany.exe

Filesize
163KB

MD5
47f035a38f19aeb26f9e1ccd2049b5e3

SHA1
cadac5fac34e6f9e508f62c4b9615088c5e2ff4a

SHA256
65c3899662df344a80fc02c822a12b321d8918edf87262a0ea0ef23be2be74c3

SHA512
12f91b6dea11b5e3a1960fa226fcda2913bb2db632d23d1a80423c0be8aa42ab87fcf6951b77ab2402941e1cf00e6fc9f0e0ab8d3a7c6c2b9aba91ca00df2d93

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\faany.exe

Filesize
163KB

MD5
47f035a38f19aeb26f9e1ccd2049b5e3

SHA1
cadac5fac34e6f9e508f62c4b9615088c5e2ff4a

SHA256
65c3899662df344a80fc02c822a12b321d8918edf87262a0ea0ef23be2be74c3

SHA512
12f91b6dea11b5e3a1960fa226fcda2913bb2db632d23d1a80423c0be8aa42ab87fcf6951b77ab2402941e1cf00e6fc9f0e0ab8d3a7c6c2b9aba91ca00df2d93

Download Submit
\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
161KB

MD5
124b190b15fb1152b80a7ea40eafac49

SHA1
310e49500836e8a4adaeefc234e38d18f0b9d8a1

SHA256
de2c1e61ee06efc568b49499b27a230222d3c4124c49aad97c55adb6423dba71

SHA512
0a06fd79d0ca5f00cc33e001d6032c857595b516deb8372e96f8709883cf330f285feecb1d3d09dff9eb30f5ba54ff790cc7592bfec74a5859bcbcda9f6842a8

Download Submit
\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
161KB

MD5
124b190b15fb1152b80a7ea40eafac49

SHA1
310e49500836e8a4adaeefc234e38d18f0b9d8a1

SHA256
de2c1e61ee06efc568b49499b27a230222d3c4124c49aad97c55adb6423dba71

SHA512
0a06fd79d0ca5f00cc33e001d6032c857595b516deb8372e96f8709883cf330f285feecb1d3d09dff9eb30f5ba54ff790cc7592bfec74a5859bcbcda9f6842a8

Download Submit
\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
161KB

MD5
124b190b15fb1152b80a7ea40eafac49

SHA1
310e49500836e8a4adaeefc234e38d18f0b9d8a1

SHA256
de2c1e61ee06efc568b49499b27a230222d3c4124c49aad97c55adb6423dba71

SHA512
0a06fd79d0ca5f00cc33e001d6032c857595b516deb8372e96f8709883cf330f285feecb1d3d09dff9eb30f5ba54ff790cc7592bfec74a5859bcbcda9f6842a8

Download Submit
memory/1208-83-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1600-77-0x0000000000B50000-0x0000000000C50000-memory.dmp

Filesize
1024KB

Download
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000001000000-0x000000000104F000-memory.dmp

Filesize
316KB

Download
memory/1600-71-0x0000000001000000-0x000000000104F000-memory.dmp

Filesize
316KB

Download
memory/1600-72-0x0000000000180000-0x0000000000184000-memory.dmp

Filesize
16KB

Download
memory/1600-73-0x00000000001C0000-0x000000000020F000-memory.dmp

Filesize
316KB

Download
memory/1600-74-0x0000000000C51000-0x0000000000C55000-memory.dmp

Filesize
16KB

Download
memory/1600-76-0x0000000000B41000-0x0000000000B45000-memory.dmp

Filesize
16KB

Download
memory/1600-75-0x0000000000C60000-0x0000000000D60000-memory.dmp

Filesize
1024KB

Download
memory/1600-78-0x0000000000E20000-0x0000000000F20000-memory.dmp

Filesize
1024KB

Download
memory/1748-79-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-82-0x00000000003F1000-0x00000000003F5000-memory.dmp

Filesize
16KB

Download
memory/1748-81-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/1748-80-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/1748-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-86-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1748-87-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-88-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download