Analysis

  • max time kernel
    142s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13-03-2023 17:44

General

  • Target

    unhackme_setup.exe

  • Size

    44.0MB

  • MD5

    1c677ebec456a670511e3d3e2456b928

  • SHA1

    f048e21ba204694ffe2e1321db175d5a95596e06

  • SHA256

    75266413fb6a86f525add87aaf73abece18332f98d11c93cd126172ef996380f

  • SHA512

    dcdfcd5ab499775725c212de60a9d09fe2ecee7b19fcb2cdc3981f2a8d7b1d153f8eec05048ded7caeb333a5395edfc27760692aec86ca7ccdb10ea4eef6065a

  • SSDEEP

    786432:2uFKIGjmRl7B65SCkWkU1vsF3rpY+kmY1O7TmIeEZsmxnTZlsPl2rn3UxL05BBo4:2sKIGjmRlN65SxWFtsF3FY+3En07ilSt

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\unhackme_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\unhackme_setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\is-08UDI.tmp\unhackme_setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-08UDI.tmp\unhackme_setup.tmp" /SL5="$70126,44545828,816640,C:\Users\Admin\AppData\Local\Temp\unhackme_setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-08UDI.tmp\unhackme_setup.tmp
    Filesize

    5.0MB

    MD5

    3c9041192d7a2565af86075f31d3a7fd

    SHA1

    11f4f96ebfae5725e4d05b66839ef23fd921fd02

    SHA256

    a72b7c2a89b8b7c7c31a46c947e4d7507d47b5977b7d624fdc2faf286d2651e8

    SHA512

    f05a4ba8dfada102982e64fd3807d4d6369932d693bccad43334be89e7bd5a6a984add3c1b17161aa75a3a368cca5370df945dd700bcc75d5a270d90a50033d5

  • \Users\Admin\AppData\Local\Temp\is-08UDI.tmp\unhackme_setup.tmp
    Filesize

    5.0MB

    MD5

    3c9041192d7a2565af86075f31d3a7fd

    SHA1

    11f4f96ebfae5725e4d05b66839ef23fd921fd02

    SHA256

    a72b7c2a89b8b7c7c31a46c947e4d7507d47b5977b7d624fdc2faf286d2651e8

    SHA512

    f05a4ba8dfada102982e64fd3807d4d6369932d693bccad43334be89e7bd5a6a984add3c1b17161aa75a3a368cca5370df945dd700bcc75d5a270d90a50033d5

  • memory/2004-61-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

  • memory/2004-64-0x0000000000400000-0x000000000090F000-memory.dmp
    Filesize

    5.1MB

  • memory/2004-65-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

  • memory/2004-69-0x0000000000400000-0x000000000090F000-memory.dmp
    Filesize

    5.1MB

  • memory/2032-54-0x0000000000400000-0x00000000004D5000-memory.dmp
    Filesize

    852KB

  • memory/2032-63-0x0000000000400000-0x00000000004D5000-memory.dmp
    Filesize

    852KB