Overview

overview

8

Static

static

cda5d66c11...4d.exe

windows7-x64

8

cda5d66c11...4d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    233s
  • max time network
    336s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cda5d66c1138e76bd3368cf9cf2a5a34f48f3bfc7de5978e944237628b89014d.exe

  • Size

    574KB

  • MD5

    f31d618f916d8b303a9852cb9ea39338

  • SHA1

    bf2eb2bee96edbdcf4b89cc3669d542025bb2dc1

  • SHA256

    cda5d66c1138e76bd3368cf9cf2a5a34f48f3bfc7de5978e944237628b89014d

  • SHA512

    53698f39719a7a1c02ba9a055e7cf7d75b792eecf30775c08c4da4a6c09306cc0339fc35760fcc7f38c24e0acd472ddee75cb0b02ef9dbca57f0b8d59533fc14

  • SSDEEP

    12288:Vq4VoAabY6L9OHTu/aCVpFaA0BqaFIfj0GjpQJuUfceEUgc3:44pmxOcdjNMIfjZQJuhV9c3

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cda5d66c1138e76bd3368cf9cf2a5a34f48f3bfc7de5978e944237628b89014d.exe
    "C:\Users\Admin\AppData\Local\Temp\cda5d66c1138e76bd3368cf9cf2a5a34f48f3bfc7de5978e944237628b89014d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\bcgxdvwvqm.exe
      "C:\Users\Admin\AppData\Local\Temp\bcgxdvwvqm.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies WinLogon
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        PID:836
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bcgxdvwvqm.exe
    Filesize

    64KB

    MD5

    686fd1c2aa2579e6db6f57dc5f024642

    SHA1

    63a636bae3f4c70190ed82b3722a7469c0b51eb2

    SHA256

    465286962013623c6e710a82a1ff2b5b7fd4d16ca85a400bbf4aea804c2b7c3c

    SHA512

    d7307599bdc16a552f3d4e0fa4f66ee98e9ce7028be8f7988bd33485a72aa58533263a1adfd92e849a17cda1b1f7701b2242ec880e6984307f03973459cfc7bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bcgxdvwvqm.exe
    Filesize

    64KB

    MD5

    686fd1c2aa2579e6db6f57dc5f024642

    SHA1

    63a636bae3f4c70190ed82b3722a7469c0b51eb2

    SHA256

    465286962013623c6e710a82a1ff2b5b7fd4d16ca85a400bbf4aea804c2b7c3c

    SHA512

    d7307599bdc16a552f3d4e0fa4f66ee98e9ce7028be8f7988bd33485a72aa58533263a1adfd92e849a17cda1b1f7701b2242ec880e6984307f03973459cfc7bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cda5d66c1138e76bd3368cf9cf2a5a34f48f3bfc7de5978e944237628b89014d.jpg
    Filesize

    503KB

    MD5

    1c35d147a259abcbd7da27ccf3af6a77

    SHA1

    7d77320b2ec4883d35981e51d1ff44839ef7cf66

    SHA256

    dd30b4b43591516f1e31096cf79d2a305bc71cf4ec655867044348623cdf585d

    SHA512

    71ae0966c4c682dd1269bd920a74ebd48020ee6dae17ae0a6712d76c73c1f38eb8eb4159b7db9145bb6113731514453125feaf0e57b0ee43404f1e2ce01b18e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
    Filesize

    64KB

    MD5

    686fd1c2aa2579e6db6f57dc5f024642

    SHA1

    63a636bae3f4c70190ed82b3722a7469c0b51eb2

    SHA256

    465286962013623c6e710a82a1ff2b5b7fd4d16ca85a400bbf4aea804c2b7c3c

    SHA512

    d7307599bdc16a552f3d4e0fa4f66ee98e9ce7028be8f7988bd33485a72aa58533263a1adfd92e849a17cda1b1f7701b2242ec880e6984307f03973459cfc7bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
    Filesize

    64KB

    MD5

    686fd1c2aa2579e6db6f57dc5f024642

    SHA1

    63a636bae3f4c70190ed82b3722a7469c0b51eb2

    SHA256

    465286962013623c6e710a82a1ff2b5b7fd4d16ca85a400bbf4aea804c2b7c3c

    SHA512

    d7307599bdc16a552f3d4e0fa4f66ee98e9ce7028be8f7988bd33485a72aa58533263a1adfd92e849a17cda1b1f7701b2242ec880e6984307f03973459cfc7bb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\bcgxdvwvqm.exe
    Filesize

    64KB

    MD5

    686fd1c2aa2579e6db6f57dc5f024642

    SHA1

    63a636bae3f4c70190ed82b3722a7469c0b51eb2

    SHA256

    465286962013623c6e710a82a1ff2b5b7fd4d16ca85a400bbf4aea804c2b7c3c

    SHA512

    d7307599bdc16a552f3d4e0fa4f66ee98e9ce7028be8f7988bd33485a72aa58533263a1adfd92e849a17cda1b1f7701b2242ec880e6984307f03973459cfc7bb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\bcgxdvwvqm.exe
    Filesize

    64KB

    MD5

    686fd1c2aa2579e6db6f57dc5f024642

    SHA1

    63a636bae3f4c70190ed82b3722a7469c0b51eb2

    SHA256

    465286962013623c6e710a82a1ff2b5b7fd4d16ca85a400bbf4aea804c2b7c3c

    SHA512

    d7307599bdc16a552f3d4e0fa4f66ee98e9ce7028be8f7988bd33485a72aa58533263a1adfd92e849a17cda1b1f7701b2242ec880e6984307f03973459cfc7bb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wcsydrv.exe
    Filesize

    64KB

    MD5

    686fd1c2aa2579e6db6f57dc5f024642

    SHA1

    63a636bae3f4c70190ed82b3722a7469c0b51eb2

    SHA256

    465286962013623c6e710a82a1ff2b5b7fd4d16ca85a400bbf4aea804c2b7c3c

    SHA512

    d7307599bdc16a552f3d4e0fa4f66ee98e9ce7028be8f7988bd33485a72aa58533263a1adfd92e849a17cda1b1f7701b2242ec880e6984307f03973459cfc7bb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wcsydrv.exe
    Filesize

    64KB

    MD5

    686fd1c2aa2579e6db6f57dc5f024642

    SHA1

    63a636bae3f4c70190ed82b3722a7469c0b51eb2

    SHA256

    465286962013623c6e710a82a1ff2b5b7fd4d16ca85a400bbf4aea804c2b7c3c

    SHA512

    d7307599bdc16a552f3d4e0fa4f66ee98e9ce7028be8f7988bd33485a72aa58533263a1adfd92e849a17cda1b1f7701b2242ec880e6984307f03973459cfc7bb

    Download Submit

  • memory/540-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

    Filesize

    8KB

    Download