Analysis
-
max time kernel
28s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
09-12-2022 19:28
Static task
static1
Behavioral task
behavioral1
Sample
37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe
Resource
win7-20221111-en
General
-
Target
37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe
-
Size
239KB
-
MD5
61672650363565ad7ce71c5a261a5e7e
-
SHA1
da70e0ed691217615c57963c58e18de927c13294
-
SHA256
37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609
-
SHA512
17b7867c3329a1ccd514cb265622d9bcf8a817d29b49e7c9fd12e49ae905ef09683da32e41ed57054f0451b3fc7f562ad999c59558948659e63cfe17f23fc824
-
SSDEEP
6144:QBn10ffIoo3VeRy65qQvT1GLwbTWYM89y7rOjPwA:gSR5qubqS96SD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lkhgcvox.exepid process 892 lkhgcvox.exe -
Loads dropped DLL 2 IoCs
Processes:
37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exepid process 1348 37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe 1348 37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exedescription pid process target process PID 1348 wrote to memory of 892 1348 37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe lkhgcvox.exe PID 1348 wrote to memory of 892 1348 37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe lkhgcvox.exe PID 1348 wrote to memory of 892 1348 37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe lkhgcvox.exe PID 1348 wrote to memory of 892 1348 37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe lkhgcvox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe"C:\Users\Admin\AppData\Local\Temp\37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe"C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe" C:\Users\Admin\AppData\Local\Temp\lgjvm.n2⤵
- Executes dropped EXE
PID:892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exeFilesize
58KB
MD5436337374849644f54f370b2931c5f9c
SHA123024687bca7f77b61d5f9c9f08c622998d8798f
SHA25603a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493
SHA512614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa
-
\Users\Admin\AppData\Local\Temp\lkhgcvox.exeFilesize
58KB
MD5436337374849644f54f370b2931c5f9c
SHA123024687bca7f77b61d5f9c9f08c622998d8798f
SHA25603a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493
SHA512614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa
-
\Users\Admin\AppData\Local\Temp\lkhgcvox.exeFilesize
58KB
MD5436337374849644f54f370b2931c5f9c
SHA123024687bca7f77b61d5f9c9f08c622998d8798f
SHA25603a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493
SHA512614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa
-
memory/892-57-0x0000000000000000-mapping.dmp
-
memory/1348-54-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB