4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be

Analysis

max time kernel
8s
platform
windows10_x64
resource
win10v20210408
submitted
17-09-2021 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de8a80136d8b6c2002ba8473bda2a617.exe
Size

255KB
MD5

de8a80136d8b6c2002ba8473bda2a617
SHA1

6ccca366fd276d0bff3197b02bfb8c192fe75cb3
SHA256

4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
SHA512

d93ca922a818f387312a317ef84e22d88ac9c091a8ddb85c742983fa37801614681d22b842aacd66f6d66621700a0e4eeacc632428303f8db6c7bd0f8d607875

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

de8a80136d8b6c2002ba8473bda2a617.exe

pid process

652 de8a80136d8b6c2002ba8473bda2a617.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

de8a80136d8b6c2002ba8473bda2a617.exe

description pid process target process

PID 652 set thread context of 872 652 de8a80136d8b6c2002ba8473bda2a617.exe de8a80136d8b6c2002ba8473bda2a617.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

de8a80136d8b6c2002ba8473bda2a617.exe

pid process

652 de8a80136d8b6c2002ba8473bda2a617.exe

pid	process
652	de8a80136d8b6c2002ba8473bda2a617.exe

description	pid	process	target process
PID 652 set thread context of 872	652	de8a80136d8b6c2002ba8473bda2a617.exe	de8a80136d8b6c2002ba8473bda2a617.exe

pid	process
652	de8a80136d8b6c2002ba8473bda2a617.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

de8a80136d8b6c2002ba8473bda2a617.exe

description	pid	process	target process
PID 652 wrote to memory of 872	652	de8a80136d8b6c2002ba8473bda2a617.exe	de8a80136d8b6c2002ba8473bda2a617.exe
PID 652 wrote to memory of 872	652	de8a80136d8b6c2002ba8473bda2a617.exe	de8a80136d8b6c2002ba8473bda2a617.exe
PID 652 wrote to memory of 872	652	de8a80136d8b6c2002ba8473bda2a617.exe	de8a80136d8b6c2002ba8473bda2a617.exe
PID 652 wrote to memory of 872	652	de8a80136d8b6c2002ba8473bda2a617.exe	de8a80136d8b6c2002ba8473bda2a617.exe

C:\Users\Admin\AppData\Local\Temp\de8a80136d8b6c2002ba8473bda2a617.exe
"C:\Users\Admin\AppData\Local\Temp\de8a80136d8b6c2002ba8473bda2a617.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\de8a80136d8b6c2002ba8473bda2a617.exe
"C:\Users\Admin\AppData\Local\Temp\de8a80136d8b6c2002ba8473bda2a617.exe"
2⤵
PID:872

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsx4448.tmp\tkxaz.dll
MD5
220b53f6a42f8f23f16378c8330763d1

SHA1
02078dc5f0d573ba4c7bb24f69c7218f31987be6

SHA256
3c470a8a1732a7e3e06cd561f5566c192f851e763b3694d84f546fe8ba379637

SHA512
6f442f207deaabb292851abae4d7c372504aa61a1ccfdce6d6f5b5d9d00fff681ff3a458731e47d227404a9bbab6f7fc61493a98075fac33db89766064cbb6f2

Download Submit
memory/872-115-0x000000000041D0B0-mapping.dmp

Download