Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 07:40
Static task
static1
Behavioral task
behavioral1
Sample
cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe
Resource
win10v2004-20230220-en
General
-
Target
cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe
-
Size
29.5MB
-
MD5
e0f5c5dacb2c49b9de937e1ac4e6aa12
-
SHA1
7d4e57d53f0b855780ebeee66d7fb51c51a7ab78
-
SHA256
cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0
-
SHA512
bf6e9a08a1969cac5a1fe53472364a9fee321001be4b003db5e282596ccff3ad9cc50e13c313012a0804e4c66923ac53559443c4c9adc697ebd7a420e9873b97
-
SSDEEP
786432:oX+PCDglQifSjUTs6LhQ/+loqcH9jnfazU/NpQDoWnSz+XBW:EurlQifgUw6LhI+JQ9jfa4/NpmhSR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
DiskGenius.exepid process 836 DiskGenius.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeDiskGenius.exepid process 1540 cmd.exe 836 DiskGenius.exe 836 DiskGenius.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.execmd.exedescription pid process target process PID 2020 wrote to memory of 1540 2020 cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe cmd.exe PID 2020 wrote to memory of 1540 2020 cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe cmd.exe PID 2020 wrote to memory of 1540 2020 cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe cmd.exe PID 2020 wrote to memory of 1540 2020 cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe cmd.exe PID 1540 wrote to memory of 836 1540 cmd.exe DiskGenius.exe PID 1540 wrote to memory of 836 1540 cmd.exe DiskGenius.exe PID 1540 wrote to memory of 836 1540 cmd.exe DiskGenius.exe PID 1540 wrote to memory of 836 1540 cmd.exe DiskGenius.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe"C:\Users\Admin\AppData\Local\Temp\cdf1b2d005ad498283d73a0ddbbd5886c775799e021c6a2a99e7549dd87538c0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\StartDGEng.bat"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exeDiskGenius.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exeFilesize
27.0MB
MD5104b8e9c7836eacaa8c16c71aa79d067
SHA1dc1deb4a4e957190f92901256e9f606ea198ca72
SHA2567169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13
SHA512dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exeFilesize
27.0MB
MD5104b8e9c7836eacaa8c16c71aa79d067
SHA1dc1deb4a4e957190f92901256e9f606ea198ca72
SHA2567169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13
SHA512dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dllFilesize
5KB
MD5d927d43c0d44b65c2067f2abe8d59261
SHA188da81305b742b49b48467c947d4030369faa538
SHA256e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2
SHA512267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\StartDGEng.batFilesize
89B
MD57df9ed38a5a267966322248b5d228af7
SHA11fb961c469bab1a840b62c290eadd104501ef8c4
SHA256fe7e41f49cc58e970461d87e88f91d0fb7c850622a99e2ebb4cdf10506e80029
SHA512b1efa436e6fc12facc858986d360dc6645d1d5a206338b1ea37793bd64faf2dcf9ec99d92c8252be3b7373e826fd89d3a6f49ab22c4f8c935aff113d61af01f1
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dllFilesize
3.7MB
MD51e8af4c81c6d4076681e9dbbf93f2d69
SHA14636dcca6226e868fb7599bcbcc785ae0ae0bed7
SHA2562d55781f0fe93c02c019bdcd79ca0489a1906a59aee0bce15aebad862fae2871
SHA512a7df48e9a6c71d2ad4ed968efe20c54e855600e272b0c013e4a3177f12d9e3710b806ba8ba52994fc2b999e071c15e7b91a2ce33d507cf461d967c935ad3a015
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exeFilesize
27.0MB
MD5104b8e9c7836eacaa8c16c71aa79d067
SHA1dc1deb4a4e957190f92901256e9f606ea198ca72
SHA2567169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13
SHA512dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dllFilesize
5KB
MD5d927d43c0d44b65c2067f2abe8d59261
SHA188da81305b742b49b48467c947d4030369faa538
SHA256e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2
SHA512267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dllFilesize
3.7MB
MD51e8af4c81c6d4076681e9dbbf93f2d69
SHA14636dcca6226e868fb7599bcbcc785ae0ae0bed7
SHA2562d55781f0fe93c02c019bdcd79ca0489a1906a59aee0bce15aebad862fae2871
SHA512a7df48e9a6c71d2ad4ed968efe20c54e855600e272b0c013e4a3177f12d9e3710b806ba8ba52994fc2b999e071c15e7b91a2ce33d507cf461d967c935ad3a015