ddb85289a979cc5af18e8e6082830f1815f9ace54a8cdcb0765b029cf50d0ced

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan pictures.exe
Size

382KB
MD5

ff6acdd6bacbef7565b628d04440887a
SHA1

728ff09cba264b720e54e856a81c3bcc898efdc9
SHA256

ddb85289a979cc5af18e8e6082830f1815f9ace54a8cdcb0765b029cf50d0ced
SHA512

f448ed6641846799e54aa2d95777d3a56848ed6154f7a727393d52470aaf35ac38e51e8427d729056ed4ad956bb8f5d87281d2cf9e3f5f2e5053fb0f21605cf5
SSDEEP

6144:y6d6ryCbi6j6od7R6JQW06Jei7uyrpnEPwrhIjk+06dZO:myKi0F7R6K5S9RrpnLrak+S

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4800	Scan pictures.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Upbraiding\Ekstremismer\Dbl.Srr	Scan pictures.exe
File opened for modification	C:\Windows\Fralokke\Registerforskrifter\signalren\Programdisketter.ini	Scan pictures.exe
File opened for modification	C:\Windows\resources\0409\Keymen.gib	Scan pictures.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\Scan pictures.exe
"C:\Users\Admin\AppData\Local\Temp\Scan pictures.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshDAA6.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit