3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

Analysis

max time kernel
150s
max time network
102s
platform
windows7_x64
resource
win7-20220414-en
submitted
09/06/2022, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Size

644KB
MD5

2d52f51831bb09c03ef6d4237df554f3
SHA1

2b96a3092e7a44b0af213adb78ce9d38ba8e4df4
SHA256

3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7
SHA512

84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Deletes itself 1 IoCs

pid	Process
1628	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1008 set thread context of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1500	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Token: SeDebugPrivilege	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Token: SeDebugPrivilege	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 1008 wrote to memory of 2012	1008	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	28
PID 2012 wrote to memory of 1600	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	30
PID 2012 wrote to memory of 1600	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	30
PID 2012 wrote to memory of 1600	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	30
PID 2012 wrote to memory of 1600	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	30
PID 2012 wrote to memory of 1628	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	31
PID 2012 wrote to memory of 1628	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	31
PID 2012 wrote to memory of 1628	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	31
PID 2012 wrote to memory of 1628	2012	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	31
PID 1628 wrote to memory of 1500	1628	cmd.exe	33
PID 1628 wrote to memory of 1500	1628	cmd.exe	33
PID 1628 wrote to memory of 1500	1628	cmd.exe	33
PID 1628 wrote to memory of 1500	1628	cmd.exe	33
PID 1600 wrote to memory of 1548	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	34
PID 1600 wrote to memory of 1548	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	34
PID 1600 wrote to memory of 1548	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	34
PID 1600 wrote to memory of 1548	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	34
PID 1600 wrote to memory of 1548	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	34
PID 1600 wrote to memory of 1548	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	34
PID 1600 wrote to memory of 1548	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	34
PID 1600 wrote to memory of 1548	1600	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	34

C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
"C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
  "C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
    "C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
      "C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
      4⤵
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Filesize
644KB

MD5
2d52f51831bb09c03ef6d4237df554f3

SHA1
2b96a3092e7a44b0af213adb78ce9d38ba8e4df4

SHA256
3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

SHA512
84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Filesize
644KB

MD5
2d52f51831bb09c03ef6d4237df554f3

SHA1
2b96a3092e7a44b0af213adb78ce9d38ba8e4df4

SHA256
3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

SHA512
84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Download Submit
\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Filesize
644KB

MD5
2d52f51831bb09c03ef6d4237df554f3

SHA1
2b96a3092e7a44b0af213adb78ce9d38ba8e4df4

SHA256
3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

SHA512
84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Download Submit
\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Filesize
644KB

MD5
2d52f51831bb09c03ef6d4237df554f3

SHA1
2b96a3092e7a44b0af213adb78ce9d38ba8e4df4

SHA256
3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

SHA512
84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Download Submit
memory/1008-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1008-56-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/1008-54-0x0000000000FC0000-0x000000000106A000-memory.dmp

Filesize
680KB

Download
memory/1600-76-0x0000000000A70000-0x0000000000B1A000-memory.dmp

Filesize
680KB

Download
memory/2012-60-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-69-0x00000000047B0000-0x000000000485E000-memory.dmp

Filesize
696KB

Download
memory/2012-70-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/2012-68-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2012-67-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-65-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-61-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download