75266413fb6a86f525add87aaf73abece18332f98d11c93cd126172ef996380f

Analysis

max time kernel
142s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-03-2023 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unhackme_setup.exe
Size

44.0MB
MD5

1c677ebec456a670511e3d3e2456b928
SHA1

f048e21ba204694ffe2e1321db175d5a95596e06
SHA256

75266413fb6a86f525add87aaf73abece18332f98d11c93cd126172ef996380f
SHA512

dcdfcd5ab499775725c212de60a9d09fe2ecee7b19fcb2cdc3981f2a8d7b1d153f8eec05048ded7caeb333a5395edfc27760692aec86ca7ccdb10ea4eef6065a
SSDEEP

786432:2uFKIGjmRl7B65SCkWkU1vsF3rpY+kmY1O7TmIeEZsmxnTZlsPl2rn3UxL05BBo4:2sKIGjmRlN65SxWFtsF3FY+3En07ilSt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

unhackme_setup.tmp

pid process

2004 unhackme_setup.tmp
Loads dropped DLL 1 IoCs

Processes:

unhackme_setup.exe

pid process

2032 unhackme_setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

unhackme_setup.tmp

pid process

2004 unhackme_setup.tmp
2004 unhackme_setup.tmp

pid	process
2004	unhackme_setup.tmp

pid	process
2032	unhackme_setup.exe

pid	process
2004	unhackme_setup.tmp
2004	unhackme_setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

unhackme_setup.exe

description	pid	process	target process
PID 2032 wrote to memory of 2004	2032	unhackme_setup.exe	unhackme_setup.tmp
PID 2032 wrote to memory of 2004	2032	unhackme_setup.exe	unhackme_setup.tmp
PID 2032 wrote to memory of 2004	2032	unhackme_setup.exe	unhackme_setup.tmp
PID 2032 wrote to memory of 2004	2032	unhackme_setup.exe	unhackme_setup.tmp
PID 2032 wrote to memory of 2004	2032	unhackme_setup.exe	unhackme_setup.tmp
PID 2032 wrote to memory of 2004	2032	unhackme_setup.exe	unhackme_setup.tmp
PID 2032 wrote to memory of 2004	2032	unhackme_setup.exe	unhackme_setup.tmp

C:\Users\Admin\AppData\Local\Temp\unhackme_setup.exe
"C:\Users\Admin\AppData\Local\Temp\unhackme_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\is-08UDI.tmp\unhackme_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-08UDI.tmp\unhackme_setup.tmp" /SL5="$70126,44545828,816640,C:\Users\Admin\AppData\Local\Temp\unhackme_setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-08UDI.tmp\unhackme_setup.tmp
Filesize
5.0MB

MD5
3c9041192d7a2565af86075f31d3a7fd

SHA1
11f4f96ebfae5725e4d05b66839ef23fd921fd02

SHA256
a72b7c2a89b8b7c7c31a46c947e4d7507d47b5977b7d624fdc2faf286d2651e8

SHA512
f05a4ba8dfada102982e64fd3807d4d6369932d693bccad43334be89e7bd5a6a984add3c1b17161aa75a3a368cca5370df945dd700bcc75d5a270d90a50033d5

Download Submit
\Users\Admin\AppData\Local\Temp\is-08UDI.tmp\unhackme_setup.tmp
Filesize
5.0MB

MD5
3c9041192d7a2565af86075f31d3a7fd

SHA1
11f4f96ebfae5725e4d05b66839ef23fd921fd02

SHA256
a72b7c2a89b8b7c7c31a46c947e4d7507d47b5977b7d624fdc2faf286d2651e8

SHA512
f05a4ba8dfada102982e64fd3807d4d6369932d693bccad43334be89e7bd5a6a984add3c1b17161aa75a3a368cca5370df945dd700bcc75d5a270d90a50033d5

Download Submit
memory/2004-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2004-64-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/2004-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2004-69-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/2032-54-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2032-63-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download