c6d0861ae7de13673ba678e5460d94433a6a873d461015070cc95fe174015991

Analysis

max time kernel
9s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-01-2022 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0fd06d3d98801c819d319e2238b4759.exe
Size

298KB
MD5

b0fd06d3d98801c819d319e2238b4759
SHA1

f6b1491a483af1a0aad7dbdcec83580d6bb90023
SHA256

c6d0861ae7de13673ba678e5460d94433a6a873d461015070cc95fe174015991
SHA512

8546bbe82af1543de2b688838e728396821f2c989e0417aedae6d6fce5374c5df5b5c9a00e6a214e7d9bb40d7c8cb6c05b0d52e631e6d6535037bb8e5fad0395

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

b0fd06d3d98801c819d319e2238b4759.exe

pid process

1240 b0fd06d3d98801c819d319e2238b4759.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

b0fd06d3d98801c819d319e2238b4759.exe

description pid process target process

PID 1240 set thread context of 3324 1240 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1240	b0fd06d3d98801c819d319e2238b4759.exe

description	pid	process	target process
PID 1240 set thread context of 3324	1240	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b0fd06d3d98801c819d319e2238b4759.exe

description	pid	process	target process
PID 1240 wrote to memory of 3324	1240	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1240 wrote to memory of 3324	1240	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1240 wrote to memory of 3324	1240	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1240 wrote to memory of 3324	1240	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1240 wrote to memory of 3324	1240	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1240 wrote to memory of 3324	1240	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe

C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe
"C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe
"C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe"
2⤵
PID:3324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd610B.tmp\nscqlwemhn.dll
MD5
311cd318e47257d49a0d0a81bb4da7e2

SHA1
e3c81cb5cc9f791ea21c0ba61ce57d32c3feb478

SHA256
2f2b20327889a4f434e5e41e6353596b0afc21d3221814d261c90f1c48cd7b9a

SHA512
d477c040b87a62568e30d99b6a6dfcb906af47158eac09cf2ec7c8ebe340c846edec1d4a55b6dd5bf1133453a6956770b90aee4576f3ba3110077e1dd1563def

Download Submit