736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-03-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe
Size

31.9MB
MD5

1b5a9cdfb1e2e5525ba77008aacfed3d
SHA1

f5053f7b425d2019a254d4952814a752c2987302
SHA256

736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb
SHA512

d1281dcaa794a85fa76163a0ec2b87a5745ceacd559c90f39ca5cd6b6f610e77839b3f9b3ff8866bc64ea104e975133222e8ca4966bbfa583f20466c8c1674b5
SSDEEP

786432:1HI5TJ/XpqhDctzm+deBbq2O879gNBCN3KHLlLYWCA16pNa5AlomnNCs7t8X:1o5TJ/5qhD4S++W2Ou9oBCN6HqWJ16pw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DiskGenius.exe

pid process

328 DiskGenius.exe
Loads dropped DLL 3 IoCs

Processes:

736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exeDiskGenius.exe

pid process

1360 736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe
328 DiskGenius.exe
328 DiskGenius.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
328	DiskGenius.exe

pid	process
1360	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe
328	DiskGenius.exe
328	DiskGenius.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe

description	pid	process	target process
PID 1360 wrote to memory of 328	1360	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe	DiskGenius.exe
PID 1360 wrote to memory of 328	1360	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe	DiskGenius.exe
PID 1360 wrote to memory of 328	1360	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe	DiskGenius.exe
PID 1360 wrote to memory of 328	1360	736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe	DiskGenius.exe

C:\Users\Admin\AppData\Local\Temp\736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe
"C:\Users\Admin\AppData\Local\Temp\736cda5b2775ef1e9b3c1aca74c6bb2adfe737d001dcd935bcbe8ee62958ebbb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
27.0MB

MD5
104b8e9c7836eacaa8c16c71aa79d067

SHA1
dc1deb4a4e957190f92901256e9f606ea198ca72

SHA256
7169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13

SHA512
dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
27.0MB

MD5
104b8e9c7836eacaa8c16c71aa79d067

SHA1
dc1deb4a4e957190f92901256e9f606ea198ca72

SHA256
7169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13

SHA512
dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MSIMG32.dll
Filesize
5KB

MD5
d927d43c0d44b65c2067f2abe8d59261

SHA1
88da81305b742b49b48467c947d4030369faa538

SHA256
e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2

SHA512
267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\VERSION.dll
Filesize
3.7MB

MD5
1e8af4c81c6d4076681e9dbbf93f2d69

SHA1
4636dcca6226e868fb7599bcbcc785ae0ae0bed7

SHA256
2d55781f0fe93c02c019bdcd79ca0489a1906a59aee0bce15aebad862fae2871

SHA512
a7df48e9a6c71d2ad4ed968efe20c54e855600e272b0c013e4a3177f12d9e3710b806ba8ba52994fc2b999e071c15e7b91a2ce33d507cf461d967c935ad3a015

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
27.0MB

MD5
104b8e9c7836eacaa8c16c71aa79d067

SHA1
dc1deb4a4e957190f92901256e9f606ea198ca72

SHA256
7169b64c443524615cd745356826654c2ebd1319fb4bf3cef30bac72e5e34f13

SHA512
dcbb4adacd6806fe7846efc9d5fe5a80442368716af95810f82996526297c1d456db11134b85905266810b49a6cd6c4d7759f203a83038f4a5bf60ec1be69995

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msimg32.dll
Filesize
5KB

MD5
d927d43c0d44b65c2067f2abe8d59261

SHA1
88da81305b742b49b48467c947d4030369faa538

SHA256
e236088bfede4f99f6d138991df32b7edb7f4454abee76f8ca6955daaed2abf2

SHA512
267a9e12fd53c4ef17b3c1264da873aa4aa845e10002dd379d936248e8510530de75bbf66ba55cd64ed3eb2d54d19b208bfbc667962d353895f6410f6e099528

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\version.dll
Filesize
3.7MB

MD5
1e8af4c81c6d4076681e9dbbf93f2d69

SHA1
4636dcca6226e868fb7599bcbcc785ae0ae0bed7

SHA256
2d55781f0fe93c02c019bdcd79ca0489a1906a59aee0bce15aebad862fae2871

SHA512
a7df48e9a6c71d2ad4ed968efe20c54e855600e272b0c013e4a3177f12d9e3710b806ba8ba52994fc2b999e071c15e7b91a2ce33d507cf461d967c935ad3a015

Download Submit