Analysis
-
max time kernel
9s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-01-2022 18:20
Static task
static1
Behavioral task
behavioral1
Sample
b0fd06d3d98801c819d319e2238b4759.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b0fd06d3d98801c819d319e2238b4759.exe
Resource
win10v2004-en-20220113
General
-
Target
b0fd06d3d98801c819d319e2238b4759.exe
-
Size
298KB
-
MD5
b0fd06d3d98801c819d319e2238b4759
-
SHA1
f6b1491a483af1a0aad7dbdcec83580d6bb90023
-
SHA256
c6d0861ae7de13673ba678e5460d94433a6a873d461015070cc95fe174015991
-
SHA512
8546bbe82af1543de2b688838e728396821f2c989e0417aedae6d6fce5374c5df5b5c9a00e6a214e7d9bb40d7c8cb6c05b0d52e631e6d6535037bb8e5fad0395
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
b0fd06d3d98801c819d319e2238b4759.exepid process 1240 b0fd06d3d98801c819d319e2238b4759.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b0fd06d3d98801c819d319e2238b4759.exedescription pid process target process PID 1240 set thread context of 3324 1240 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b0fd06d3d98801c819d319e2238b4759.exedescription pid process target process PID 1240 wrote to memory of 3324 1240 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe PID 1240 wrote to memory of 3324 1240 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe PID 1240 wrote to memory of 3324 1240 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe PID 1240 wrote to memory of 3324 1240 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe PID 1240 wrote to memory of 3324 1240 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe PID 1240 wrote to memory of 3324 1240 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe"C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe"C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsd610B.tmp\nscqlwemhn.dllMD5
311cd318e47257d49a0d0a81bb4da7e2
SHA1e3c81cb5cc9f791ea21c0ba61ce57d32c3feb478
SHA2562f2b20327889a4f434e5e41e6353596b0afc21d3221814d261c90f1c48cd7b9a
SHA512d477c040b87a62568e30d99b6a6dfcb906af47158eac09cf2ec7c8ebe340c846edec1d4a55b6dd5bf1133453a6956770b90aee4576f3ba3110077e1dd1563def