9756019f2cb8b2f9176998a217b2e978c761ba568f645fc08cbc3e4749869827

Analysis

max time kernel
93s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9756019f2cb8b2f9176998a217b2e978c761ba568f645fc08cbc3e4749869827.exe
Size

1.3MB
MD5

4be9336ceaa22fd40d90962badd53e3c
SHA1

0544c913ee3d69e7e113064c9889e1a745879940
SHA256

9756019f2cb8b2f9176998a217b2e978c761ba568f645fc08cbc3e4749869827
SHA512

5d090216f8357c1e70df6975810df685f4d175b0bddfa09f2ba7375c8246010bc0dac8df9d2a95d9e9820aa5c471f91df00871911e09a1eb493980db60023545
SSDEEP

24576:Bg3Hg8/q1zPlpjxLIk078IJnh1qAm9uA/AR1mcXeMaM8KhE6P828NNC:Bg3Hge8PBIkM8IJnh8A6AR1C5/Ke6Plp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1684	MathCenterLevel2.exe

Loads dropped DLL 4 IoCs

pid	Process
1684	MathCenterLevel2.exe
1684	MathCenterLevel2.exe
1684	MathCenterLevel2.exe
1684	MathCenterLevel2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	MathCenterLevel2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	MathCenterLevel2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1684	2016	9756019f2cb8b2f9176998a217b2e978c761ba568f645fc08cbc3e4749869827.exe	78
PID 2016 wrote to memory of 1684	2016	9756019f2cb8b2f9176998a217b2e978c761ba568f645fc08cbc3e4749869827.exe	78
PID 2016 wrote to memory of 1684	2016	9756019f2cb8b2f9176998a217b2e978c761ba568f645fc08cbc3e4749869827.exe	78

C:\Users\Admin\AppData\Local\Temp\9756019f2cb8b2f9176998a217b2e978c761ba568f645fc08cbc3e4749869827.exe
"C:\Users\Admin\AppData\Local\Temp\9756019f2cb8b2f9176998a217b2e978c761ba568f645fc08cbc3e4749869827.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\miaE312.tmp\MathCenterLevel2.exe
  .\MathCenterLevel2.exe /m="C:\Users\Admin\AppData\Local\Temp\975601~1.EXE" /k=""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mia1\mDotNetExec.dll

Filesize
397KB

MD5
3905d09c98dcb9668fc106b67c88fa60

SHA1
61d7c4b7564b49e1f4d9cd4f20a5f625aad1df13

SHA256
dbb46f0b80f2937b1850d8fddf0c1fc840fe2caa5dbb6b15e82a82c9bc669311

SHA512
2913ad67b973829abbf0c84b389dfcdd742d4c47c165c12f4b54d27325e1b1e23e3a5389180d889150e3c3a70fb20f0568c8a5c71e7f339a77cded5c266767a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\mWinRunExec.dll

Filesize
397KB

MD5
fdca6bd0013cbb1796920c68a574a56d

SHA1
087654a788096ed4b9e0eb8220d18c443d97f07c

SHA256
b845e304db5655ae2439bc7cccaff789c4afd39486697e36dc50eb365e83ecc2

SHA512
464e2c5406dcf0f663012cc23e1d7d4df7ef2d060d1a1d700a4da1c0f211514b3025aebc94e956aba7e6e36a09dbd04082630d89b80d4465d372564c4d881d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\mWinRunExec.dll

Filesize
397KB

MD5
fdca6bd0013cbb1796920c68a574a56d

SHA1
087654a788096ed4b9e0eb8220d18c443d97f07c

SHA256
b845e304db5655ae2439bc7cccaff789c4afd39486697e36dc50eb365e83ecc2

SHA512
464e2c5406dcf0f663012cc23e1d7d4df7ef2d060d1a1d700a4da1c0f211514b3025aebc94e956aba7e6e36a09dbd04082630d89b80d4465d372564c4d881d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaE312.tmp\MathCenterLevel2.exe

Filesize
2.2MB

MD5
aed710e7bdd525749c3b710436fabb8f

SHA1
4125e6d14417b8bef4f93d3dca5dd20074021c5a

SHA256
14b18e4ae7a8dab60a53ba4bc4a24bdf1ccc2a1dfb093081c1a87348d342f948

SHA512
145de6e9dd80d322b111b57cd86810d43dfae3bb2eb27371df342fee912f6688b19b92cf5f7ad9220bc832a22e25a70e3d81243a8eaa5e8729e185ee1671f329

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaE312.tmp\MathCenterLevel2.exe

Filesize
2.2MB

MD5
aed710e7bdd525749c3b710436fabb8f

SHA1
4125e6d14417b8bef4f93d3dca5dd20074021c5a

SHA256
14b18e4ae7a8dab60a53ba4bc4a24bdf1ccc2a1dfb093081c1a87348d342f948

SHA512
145de6e9dd80d322b111b57cd86810d43dfae3bb2eb27371df342fee912f6688b19b92cf5f7ad9220bc832a22e25a70e3d81243a8eaa5e8729e185ee1671f329

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaE312.tmp\MathCenterLevel2.msi

Filesize
258KB

MD5
365807d468879289921221cd458d5f1a

SHA1
019a3a32592572a9749a1d042ed9beb40d1c21c6

SHA256
3d7b21cbdc0fc47712bbc5b92358cd5ff3a98eaf0dea6bf4055cfa7d71a00728

SHA512
1af2a565e5d2ac01d879ed7e692634d93a79f09dba6cee5475aec76bfcee723e81d3f66faabd169d92b440a0dc1a45a0ebf6559ec7dd0670a870746873f379b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaE312.tmp\MathCenterLevel2.res

Filesize
2.2MB

MD5
580dd6687a5d232bffdb2545149c0c64

SHA1
e3d4c3169ec6f0f779a549bfdb961dd35e9630e5

SHA256
27334c801f412b3a6394b694df62d321155c84c7c460b6611b9e5fe1f8ed6464

SHA512
de4b8e231d65fb53bb4034ef109fefbc5120b3299814834f5b5698dbca322e8a32c34a29c988fd07914ba989f584ff333f00bc904f2e08afde167414b91adf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaE312.tmp\mia.lib

Filesize
565KB

MD5
e6c930ab2d929ce6ac088799b57ae430

SHA1
8d1628b4f816dc93b8f843e7a28d760ad0edccc6

SHA256
d3125717c7f99cee05045995d10f2986f9a2608ffdedfb29b34b472f3f36f952

SHA512
a3d082674d9a4314bdae8e9ac429bd22030bc7ff69c695afd53ba9a785c7a5ff44fd7599278bb0422378b0aae3102d652f2cc03574285729196078f2717bae4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaE312.tmp\mia.lib

Filesize
565KB

MD5
e6c930ab2d929ce6ac088799b57ae430

SHA1
8d1628b4f816dc93b8f843e7a28d760ad0edccc6

SHA256
d3125717c7f99cee05045995d10f2986f9a2608ffdedfb29b34b472f3f36f952

SHA512
a3d082674d9a4314bdae8e9ac429bd22030bc7ff69c695afd53ba9a785c7a5ff44fd7599278bb0422378b0aae3102d652f2cc03574285729196078f2717bae4f

Download Submit
memory/1684-141-0x0000000005040000-0x00000000050AD000-memory.dmp

Filesize
436KB

Download