b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9

Analysis

max time kernel
139s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
14-02-2023 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe
Size

11.9MB
MD5

fb4debd112aceb8682f807251ad5a916
SHA1

68ac6f256cdb5fb4dd49504915fb5e23ec68d4d6
SHA256

b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9
SHA512

17f362c89624b278296f8e1f73e100e165b81d13ee7dca277229b6a9596f2513fb9639349620a2b55badbb8c5c55521f01c51ffe918fb063b3a061cdd8d36bdb
SSDEEP

196608:xEP+6cL/922hPs7wcjJoRkT1Rz+ie8YqS0PTMhcst6qlz/djYdCK02WtuniyskwQ:2P+6a08U7wclleCLTMhcy6qlz1R92Uu1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1004	setup.exe
584	is-J5UV4.tmp

Loads dropped DLL 8 IoCs

pid	Process
1112	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe
1004	setup.exe
1004	setup.exe
1004	setup.exe
1004	setup.exe
584	is-J5UV4.tmp
584	is-J5UV4.tmp
584	is-J5UV4.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
584	is-J5UV4.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1004	1112	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	28
PID 1112 wrote to memory of 1004	1112	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	28
PID 1112 wrote to memory of 1004	1112	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	28
PID 1112 wrote to memory of 1004	1112	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	28
PID 1112 wrote to memory of 1004	1112	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	28
PID 1112 wrote to memory of 1004	1112	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	28
PID 1112 wrote to memory of 1004	1112	b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe	28
PID 1004 wrote to memory of 584	1004	setup.exe	29
PID 1004 wrote to memory of 584	1004	setup.exe	29
PID 1004 wrote to memory of 584	1004	setup.exe	29
PID 1004 wrote to memory of 584	1004	setup.exe	29
PID 1004 wrote to memory of 584	1004	setup.exe	29
PID 1004 wrote to memory of 584	1004	setup.exe	29
PID 1004 wrote to memory of 584	1004	setup.exe	29

C:\Users\Admin\AppData\Local\Temp\b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe
"C:\Users\Admin\AppData\Local\Temp\b8929963c073acc1e20a696ada8d2990c3baeed41e22078eed6232a37b853af9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\RepTasks2012\setup.exe
  "C:\RepTasks2012\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\is-RSPFE.tmp\is-J5UV4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RSPFE.tmp\is-J5UV4.tmp" /SL4 $A0124 C:\RepTasks2012\setup.exe 7742148 72704
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RepTasks2012\setup.exe

Filesize
10.6MB

MD5
339917d6c5f2ca27cc9b13cb6da6bea2

SHA1
88899ca8178def48f8c2d78a7c009a74e2889efe

SHA256
5e355e921951e8456f98c38163f182d8ddaa4d24eb126c93177f0a8d09de227d

SHA512
347a5ba8c739a8f9c33764162b9116d281c922687e6ae99f325b9044c8655680b3f02c045dfb901243e3b1dba14f8c6784b5dfb71aa5e874929b54774e3cd950

Download Submit
C:\RepTasks2012\setup.exe

Filesize
10.6MB

MD5
339917d6c5f2ca27cc9b13cb6da6bea2

SHA1
88899ca8178def48f8c2d78a7c009a74e2889efe

SHA256
5e355e921951e8456f98c38163f182d8ddaa4d24eb126c93177f0a8d09de227d

SHA512
347a5ba8c739a8f9c33764162b9116d281c922687e6ae99f325b9044c8655680b3f02c045dfb901243e3b1dba14f8c6784b5dfb71aa5e874929b54774e3cd950

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSPFE.tmp\is-J5UV4.tmp

Filesize
13.3MB

MD5
dfaa0ffd9ca26dd3bafcda07e6e601eb

SHA1
e89c038b24172a86e3b0b2f007e043631aa05a2e

SHA256
cc5597b5a6c9dfb96d3a5079cf42f27ef7e5e1cf914c050bcb2602914921df48

SHA512
0707c6f6e29543bf7f7fe159dca74832ede537c61b5b2abbb368cfe7511e224faabccfc1836abb03b920f35d00b033fc0c19723263264d2f5b2d0a1513ca4269

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RSPFE.tmp\is-J5UV4.tmp

Filesize
13.3MB

MD5
dfaa0ffd9ca26dd3bafcda07e6e601eb

SHA1
e89c038b24172a86e3b0b2f007e043631aa05a2e

SHA256
cc5597b5a6c9dfb96d3a5079cf42f27ef7e5e1cf914c050bcb2602914921df48

SHA512
0707c6f6e29543bf7f7fe159dca74832ede537c61b5b2abbb368cfe7511e224faabccfc1836abb03b920f35d00b033fc0c19723263264d2f5b2d0a1513ca4269

Download Submit
\RepTasks2012\setup.exe

Filesize
10.6MB

MD5
339917d6c5f2ca27cc9b13cb6da6bea2

SHA1
88899ca8178def48f8c2d78a7c009a74e2889efe

SHA256
5e355e921951e8456f98c38163f182d8ddaa4d24eb126c93177f0a8d09de227d

SHA512
347a5ba8c739a8f9c33764162b9116d281c922687e6ae99f325b9044c8655680b3f02c045dfb901243e3b1dba14f8c6784b5dfb71aa5e874929b54774e3cd950

Download Submit
\RepTasks2012\setup.exe

Filesize
10.6MB

MD5
339917d6c5f2ca27cc9b13cb6da6bea2

SHA1
88899ca8178def48f8c2d78a7c009a74e2889efe

SHA256
5e355e921951e8456f98c38163f182d8ddaa4d24eb126c93177f0a8d09de227d

SHA512
347a5ba8c739a8f9c33764162b9116d281c922687e6ae99f325b9044c8655680b3f02c045dfb901243e3b1dba14f8c6784b5dfb71aa5e874929b54774e3cd950

Download Submit
\RepTasks2012\setup.exe

Filesize
10.6MB

MD5
339917d6c5f2ca27cc9b13cb6da6bea2

SHA1
88899ca8178def48f8c2d78a7c009a74e2889efe

SHA256
5e355e921951e8456f98c38163f182d8ddaa4d24eb126c93177f0a8d09de227d

SHA512
347a5ba8c739a8f9c33764162b9116d281c922687e6ae99f325b9044c8655680b3f02c045dfb901243e3b1dba14f8c6784b5dfb71aa5e874929b54774e3cd950

Download Submit
\RepTasks2012\setup.exe

Filesize
10.6MB

MD5
339917d6c5f2ca27cc9b13cb6da6bea2

SHA1
88899ca8178def48f8c2d78a7c009a74e2889efe

SHA256
5e355e921951e8456f98c38163f182d8ddaa4d24eb126c93177f0a8d09de227d

SHA512
347a5ba8c739a8f9c33764162b9116d281c922687e6ae99f325b9044c8655680b3f02c045dfb901243e3b1dba14f8c6784b5dfb71aa5e874929b54774e3cd950

Download Submit
\Users\Admin\AppData\Local\Temp\is-RFSO9.tmp\_isdecmp.dll

Filesize
12KB

MD5
9f015911c4073ba9b8ad5a4c36fcaf88

SHA1
d4bd8d2348a2a6294f3f92ad7831f2cf660da6a5

SHA256
c630fb87c007c1e3d008eac97edf7e025c0cb806c886971e32b7063d606fd125

SHA512
c36dc582141259ec0813edf531431870f96acc346e3f9af0cd86544245a84bb2d6bc4c37518bf309fa0922cdd5535d087e4fef20f0d5aa0494b1a4b0ce388ea9

Download Submit
\Users\Admin\AppData\Local\Temp\is-RFSO9.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RFSO9.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RSPFE.tmp\is-J5UV4.tmp

Filesize
13.3MB

MD5
dfaa0ffd9ca26dd3bafcda07e6e601eb

SHA1
e89c038b24172a86e3b0b2f007e043631aa05a2e

SHA256
cc5597b5a6c9dfb96d3a5079cf42f27ef7e5e1cf914c050bcb2602914921df48

SHA512
0707c6f6e29543bf7f7fe159dca74832ede537c61b5b2abbb368cfe7511e224faabccfc1836abb03b920f35d00b033fc0c19723263264d2f5b2d0a1513ca4269

Download Submit
memory/1004-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1004-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1112-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download