Overview

overview

7

Static

static

1

45562a03ad...c8.exe

windows7-x64

7

45562a03ad...c8.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    302s
  • max time network
    294s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 08:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    45562a03add8d10eed811e8717ca22c6b772bc227b49811850241d8f959dadc8.exe

  • Size

    49.5MB

  • MD5

    887806ea5b8d903a16080c3bb2d8fc14

  • SHA1

    fda4129fc96c366d123b40284815c68ced7bcdc1

  • SHA256

    45562a03add8d10eed811e8717ca22c6b772bc227b49811850241d8f959dadc8

  • SHA512

    e7bfde53af546921f32df35de64592ee849506e83aef3498744d59638204429cebde1c4c676ef3988737c0876be2349e2f866efe5e841133cac398ad916ee003

  • SSDEEP

    786432:EOgXwdEYIb6UdIX/POO4T1I9CT9CKWE5v3i4RTr/b1rnbHqmntLBH53UErk:EHY26Bn0MCT9CKWuviC/b1rbHBtP3UE4

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45562a03add8d10eed811e8717ca22c6b772bc227b49811850241d8f959dadc8.exe
    "C:\Users\Admin\AppData\Local\Temp\45562a03add8d10eed811e8717ca22c6b772bc227b49811850241d8f959dadc8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Users\Admin\AppData\Local\Temp\is-L28U1.tmp\is-HDP6A.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-L28U1.tmp\is-HDP6A.tmp" /SL4 $A007C C:\Users\Admin\AppData\Local\Temp\45562a03add8d10eed811e8717ca22c6b772bc227b49811850241d8f959dadc8.exe 48224650 72704
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:1404
  • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.exe
    "C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2200
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1636

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\Report.Dat
              Filesize

              6KB

              MD5

              ff9cc3f988f949003769fd626d8e5166

              SHA1

              16d959fe14d1be611f879c86257714eb953f4431

              SHA256

              1153b7f0f623b79ed622a629d8d8a196a277b6e36a0261545e2766ac67a0f371

              SHA512

              d2a075c28f705f3771d3402cd9d66af2bbcf937c43b57e25a8bd210063d609f6c170c02e1b71ec304d2190c3b80dd179576605cd43f636be76999ce8f1303050

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\Report.JQB
              Filesize

              6KB

              MD5

              648f2160fa8794b475cd58160ddbd9f8

              SHA1

              fb8a65dc8d07b74d1ebf1c65606e65efa4d9ed92

              SHA256

              4944ee93f812df81c0a4e9674042dff50e06cc4668a4f65f6eda4886744a8db0

              SHA512

              307c1062ef262169218bb9a44dfa7eebabb2b2d0177da7aefaebaf6991160c04f3897e83846747e58a60ddbce63c7763fb00ba685a2f9c164c870f59e4d1dd5b

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.DLL
              Filesize

              5.8MB

              MD5

              4020bf652eb2bfe504af9194c0cb707c

              SHA1

              c3c06ca0c7a7265d8a9f27ce65f1a96c14787cbe

              SHA256

              2c1ea3a78fc892a69524c774d1273a3972c96e021be4b0a77bc7377745452430

              SHA512

              1a04fa78885f72366f0cba4f5ad7847165bcf96492bbb521d2ea0aee12d9c71098feb2dcde7fde0f4463ff33644c0938be16673083f825c66d4f076758ecbeb0

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.Dll
              Filesize

              5.8MB

              MD5

              4020bf652eb2bfe504af9194c0cb707c

              SHA1

              c3c06ca0c7a7265d8a9f27ce65f1a96c14787cbe

              SHA256

              2c1ea3a78fc892a69524c774d1273a3972c96e021be4b0a77bc7377745452430

              SHA512

              1a04fa78885f72366f0cba4f5ad7847165bcf96492bbb521d2ea0aee12d9c71098feb2dcde7fde0f4463ff33644c0938be16673083f825c66d4f076758ecbeb0

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.Dll
              Filesize

              5.8MB

              MD5

              4020bf652eb2bfe504af9194c0cb707c

              SHA1

              c3c06ca0c7a7265d8a9f27ce65f1a96c14787cbe

              SHA256

              2c1ea3a78fc892a69524c774d1273a3972c96e021be4b0a77bc7377745452430

              SHA512

              1a04fa78885f72366f0cba4f5ad7847165bcf96492bbb521d2ea0aee12d9c71098feb2dcde7fde0f4463ff33644c0938be16673083f825c66d4f076758ecbeb0

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.Dll
              Filesize

              5.8MB

              MD5

              4020bf652eb2bfe504af9194c0cb707c

              SHA1

              c3c06ca0c7a7265d8a9f27ce65f1a96c14787cbe

              SHA256

              2c1ea3a78fc892a69524c774d1273a3972c96e021be4b0a77bc7377745452430

              SHA512

              1a04fa78885f72366f0cba4f5ad7847165bcf96492bbb521d2ea0aee12d9c71098feb2dcde7fde0f4463ff33644c0938be16673083f825c66d4f076758ecbeb0

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.Dll
              Filesize

              5.8MB

              MD5

              4020bf652eb2bfe504af9194c0cb707c

              SHA1

              c3c06ca0c7a7265d8a9f27ce65f1a96c14787cbe

              SHA256

              2c1ea3a78fc892a69524c774d1273a3972c96e021be4b0a77bc7377745452430

              SHA512

              1a04fa78885f72366f0cba4f5ad7847165bcf96492bbb521d2ea0aee12d9c71098feb2dcde7fde0f4463ff33644c0938be16673083f825c66d4f076758ecbeb0

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.Dll
              Filesize

              5.8MB

              MD5

              4020bf652eb2bfe504af9194c0cb707c

              SHA1

              c3c06ca0c7a7265d8a9f27ce65f1a96c14787cbe

              SHA256

              2c1ea3a78fc892a69524c774d1273a3972c96e021be4b0a77bc7377745452430

              SHA512

              1a04fa78885f72366f0cba4f5ad7847165bcf96492bbb521d2ea0aee12d9c71098feb2dcde7fde0f4463ff33644c0938be16673083f825c66d4f076758ecbeb0

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.Dll
              Filesize

              5.8MB

              MD5

              4020bf652eb2bfe504af9194c0cb707c

              SHA1

              c3c06ca0c7a7265d8a9f27ce65f1a96c14787cbe

              SHA256

              2c1ea3a78fc892a69524c774d1273a3972c96e021be4b0a77bc7377745452430

              SHA512

              1a04fa78885f72366f0cba4f5ad7847165bcf96492bbb521d2ea0aee12d9c71098feb2dcde7fde0f4463ff33644c0938be16673083f825c66d4f076758ecbeb0

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.exe
              Filesize

              22.1MB

              MD5

              70115e16dee7d9460026605788c3d964

              SHA1

              7cd73b70be50f7fa08a8afaf8f17ef03f76df5fd

              SHA256

              7210df29bf5132fcbf09e86d37572e345273da2da1f56f844244d21e7a893448

              SHA512

              bb10178b8fbbb16f98f1ec6704afb50197b61f27c82d816796295f39f49716317f940d76f14656dd8cf16148c990eb21b2caccc207d76b19b8e8019990d59878

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.exe
              Filesize

              22.1MB

              MD5

              70115e16dee7d9460026605788c3d964

              SHA1

              7cd73b70be50f7fa08a8afaf8f17ef03f76df5fd

              SHA256

              7210df29bf5132fcbf09e86d37572e345273da2da1f56f844244d21e7a893448

              SHA512

              bb10178b8fbbb16f98f1ec6704afb50197b61f27c82d816796295f39f49716317f940d76f14656dd8cf16148c990eb21b2caccc207d76b19b8e8019990d59878

              Download Submit

            • C:\Program Files (x86)\JoinCheer\²ÆÕþ²¿Í³Ò»±¨±íϵͳ\ReportE.exe
              Filesize

              22.1MB

              MD5

              70115e16dee7d9460026605788c3d964

              SHA1

              7cd73b70be50f7fa08a8afaf8f17ef03f76df5fd

              SHA256

              7210df29bf5132fcbf09e86d37572e345273da2da1f56f844244d21e7a893448

              SHA512

              bb10178b8fbbb16f98f1ec6704afb50197b61f27c82d816796295f39f49716317f940d76f14656dd8cf16148c990eb21b2caccc207d76b19b8e8019990d59878

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\is-CQI4F.tmp\_isdecmp.dll
              Filesize

              12KB

              MD5

              9f015911c4073ba9b8ad5a4c36fcaf88

              SHA1

              d4bd8d2348a2a6294f3f92ad7831f2cf660da6a5

              SHA256

              c630fb87c007c1e3d008eac97edf7e025c0cb806c886971e32b7063d606fd125

              SHA512

              c36dc582141259ec0813edf531431870f96acc346e3f9af0cd86544245a84bb2d6bc4c37518bf309fa0922cdd5535d087e4fef20f0d5aa0494b1a4b0ce388ea9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\is-CQI4F.tmp\_isdecmp.dll
              Filesize

              12KB

              MD5

              9f015911c4073ba9b8ad5a4c36fcaf88

              SHA1

              d4bd8d2348a2a6294f3f92ad7831f2cf660da6a5

              SHA256

              c630fb87c007c1e3d008eac97edf7e025c0cb806c886971e32b7063d606fd125

              SHA512

              c36dc582141259ec0813edf531431870f96acc346e3f9af0cd86544245a84bb2d6bc4c37518bf309fa0922cdd5535d087e4fef20f0d5aa0494b1a4b0ce388ea9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\is-L28U1.tmp\is-HDP6A.tmp
              Filesize

              14.7MB

              MD5

              d801bb95400aaeb29d9a10799bf56257

              SHA1

              16170024d0103d73f79df117371a70dbafc390f2

              SHA256

              b1e133d8803c9f964c6e29ffe382d17241b939c255c74dd0bf00256f75b474cd

              SHA512

              1674ead059dc7a05fb2b5b5bdf5865f4f7d6d39c0955424d439220c52cd0265cc9d4d9477ebef21a7aa3ce270894b0dfbc9cd25b5df888c36e9733ea19a4f717

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\is-L28U1.tmp\is-HDP6A.tmp
              Filesize

              14.7MB

              MD5

              d801bb95400aaeb29d9a10799bf56257

              SHA1

              16170024d0103d73f79df117371a70dbafc390f2

              SHA256

              b1e133d8803c9f964c6e29ffe382d17241b939c255c74dd0bf00256f75b474cd

              SHA512

              1674ead059dc7a05fb2b5b5bdf5865f4f7d6d39c0955424d439220c52cd0265cc9d4d9477ebef21a7aa3ce270894b0dfbc9cd25b5df888c36e9733ea19a4f717

              Download Submit

            • memory/936-272-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-277-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-292-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-254-0x00000000036E0000-0x00000000036E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/936-291-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-284-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-280-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-279-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-278-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-276-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-275-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-266-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-267-0x00000000036E0000-0x00000000036E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/936-268-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-274-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/936-273-0x0000000000400000-0x0000000001A74000-memory.dmp

              Filesize

              22.5MB

              Download

            • memory/1404-139-0x00000000014D0000-0x00000000014D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1404-150-0x0000000000400000-0x0000000001303000-memory.dmp

              Filesize

              15.0MB

              Download

            • memory/1404-151-0x00000000014D0000-0x00000000014D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1404-155-0x0000000000400000-0x0000000001303000-memory.dmp

              Filesize

              15.0MB

              Download

            • memory/1404-185-0x0000000000400000-0x0000000001303000-memory.dmp

              Filesize

              15.0MB

              Download

            • memory/1404-244-0x0000000000400000-0x0000000001303000-memory.dmp

              Filesize

              15.0MB

              Download

            • memory/1404-248-0x0000000000400000-0x0000000001303000-memory.dmp

              Filesize

              15.0MB

              Download

            • memory/3592-133-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/3592-149-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download

            • memory/3592-249-0x0000000000400000-0x0000000000418000-memory.dmp

              Filesize

              96KB

              Download