Analysis
-
max time kernel
24s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 17:36
Static task
static1
Behavioral task
behavioral1
Sample
c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe
Resource
win7-20221111-en
General
-
Target
c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe
-
Size
1.9MB
-
MD5
9ab1ae955189a6992ef318d4c79c5fd2
-
SHA1
d6425da91881200bd174d1e5028ff5afcc05ce1e
-
SHA256
c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91
-
SHA512
d6026f83d18aad6d6584f1dc25da8bbf13420d4fae1f5bd4d29e29915854cd80168a6408c7859ee98b1a44c95e8d9705693475aed0c570d4fa8dd8e331c584d6
-
SSDEEP
49152:/cW4fbpU9uNOLyRLY7gcSIRZ/y9/ghtlAsPog:/X4DFNu2ySIX/y5gPlAsPog
Malware Config
Extracted
socelars
http://www.sblinfo.pw/index.php/
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp 1148 DiskScan.exe -
Loads dropped DLL 6 IoCs
pid Process 1224 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp 1856 WerFault.exe 1856 WerFault.exe 1856 WerFault.exe 1856 WerFault.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1856 1148 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1224 wrote to memory of 1812 1224 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe 28 PID 1224 wrote to memory of 1812 1224 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe 28 PID 1224 wrote to memory of 1812 1224 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe 28 PID 1224 wrote to memory of 1812 1224 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe 28 PID 1224 wrote to memory of 1812 1224 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe 28 PID 1224 wrote to memory of 1812 1224 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe 28 PID 1224 wrote to memory of 1812 1224 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe 28 PID 1812 wrote to memory of 1148 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp 29 PID 1812 wrote to memory of 1148 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp 29 PID 1812 wrote to memory of 1148 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp 29 PID 1812 wrote to memory of 1148 1812 c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp 29 PID 1148 wrote to memory of 1856 1148 DiskScan.exe 31 PID 1148 wrote to memory of 1856 1148 DiskScan.exe 31 PID 1148 wrote to memory of 1856 1148 DiskScan.exe 31 PID 1148 wrote to memory of 1856 1148 DiskScan.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp"C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp" /SL5="$7012C,1248603,784384,C:\Users\Admin\AppData\Local\Temp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe"C:\Users\Admin\AppData\Local\Temp\DiskProtect18889\DiskScan.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 5924⤵
- Loads dropped DLL
- Program crash
PID:1856
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD586443429e6c9b2b90755676c9f0996ea
SHA1b389c7903305ad002f1c3bfb817000dafdc24783
SHA25604ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4
-
C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
Filesize2.5MB
MD5ce5267795af9aa0df86c9406686a9296
SHA1eaa104d1400ea7c5fce8b7ee85891e41afee5e47
SHA2560be9a338898ab0da948885bc4810e3faf32e0012460bc0a2ece5ccebe5249d70
SHA512d9da631525363d26f073398e264afea1460585f3644e85cc43f761d46ebadb83e92eecb20363e0fea9fe4a5698148ec5501745db79c1f3c4d5efbcf7fd922d47
-
C:\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
Filesize2.5MB
MD5ce5267795af9aa0df86c9406686a9296
SHA1eaa104d1400ea7c5fce8b7ee85891e41afee5e47
SHA2560be9a338898ab0da948885bc4810e3faf32e0012460bc0a2ece5ccebe5249d70
SHA512d9da631525363d26f073398e264afea1460585f3644e85cc43f761d46ebadb83e92eecb20363e0fea9fe4a5698148ec5501745db79c1f3c4d5efbcf7fd922d47
-
Filesize
1.1MB
MD586443429e6c9b2b90755676c9f0996ea
SHA1b389c7903305ad002f1c3bfb817000dafdc24783
SHA25604ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4
-
Filesize
1.1MB
MD586443429e6c9b2b90755676c9f0996ea
SHA1b389c7903305ad002f1c3bfb817000dafdc24783
SHA25604ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4
-
Filesize
1.1MB
MD586443429e6c9b2b90755676c9f0996ea
SHA1b389c7903305ad002f1c3bfb817000dafdc24783
SHA25604ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4
-
Filesize
1.1MB
MD586443429e6c9b2b90755676c9f0996ea
SHA1b389c7903305ad002f1c3bfb817000dafdc24783
SHA25604ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4
-
Filesize
1.1MB
MD586443429e6c9b2b90755676c9f0996ea
SHA1b389c7903305ad002f1c3bfb817000dafdc24783
SHA25604ea3db67ff876112ddad55ba4ac65f3383c16333e6b02385d27402b5eab2b13
SHA512ba1c162fb922fd9f3ef95cfc4f5037d6eb71cf1311624bf599a3b043471503751b4b9282cdb3449e8716608a2163c4d71adb585b7f7fa8939c2e04c13866f9d4
-
\Users\Admin\AppData\Local\Temp\is-IPBLA.tmp\c049a530ea43c92972a2ddb69ace0a26f5688155231183bd5797fd184eaa4b91.tmp
Filesize2.5MB
MD5ce5267795af9aa0df86c9406686a9296
SHA1eaa104d1400ea7c5fce8b7ee85891e41afee5e47
SHA2560be9a338898ab0da948885bc4810e3faf32e0012460bc0a2ece5ccebe5249d70
SHA512d9da631525363d26f073398e264afea1460585f3644e85cc43f761d46ebadb83e92eecb20363e0fea9fe4a5698148ec5501745db79c1f3c4d5efbcf7fd922d47