f9a5c117f45c2cc1fc23ccc88f7fc6586bb7dba85f8a1ca3d4e5f87046d39ed6

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-09-2022 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38eccf686c562c57251e1366f87430e6.exe
Size

24KB
MD5

38eccf686c562c57251e1366f87430e6
SHA1

42cacb642573e24c7625584c275d456b118bed2a
SHA256

f9a5c117f45c2cc1fc23ccc88f7fc6586bb7dba85f8a1ca3d4e5f87046d39ed6
SHA512

812bbcca7ea29eb66891a1a83c23ec72b60e929f6c08a103ffc814c69aad43a16dfaefebb33c8ebbb7a88941f9ad90d3f9131ece51bdaeb3b4cf5a1f6cba5cd1
SSDEEP

192:zkBKt7bnGFPpHuBp3RGKTxW8YMcvdQgkyAd+6zrPf51JHyqOl1aWNaNVa2hQJ:zk6dvGD8hcv7kyAPzJSjlY7VlY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1756	true_update.exe

Loads dropped DLL 4 IoCs

pid	Process
1808	38eccf686c562c57251e1366f87430e6.exe
1756	true_update.exe
1756	true_update.exe
1756	true_update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1756	1808	38eccf686c562c57251e1366f87430e6.exe	27
PID 1808 wrote to memory of 1756	1808	38eccf686c562c57251e1366f87430e6.exe	27
PID 1808 wrote to memory of 1756	1808	38eccf686c562c57251e1366f87430e6.exe	27
PID 1808 wrote to memory of 1756	1808	38eccf686c562c57251e1366f87430e6.exe	27
PID 1808 wrote to memory of 1756	1808	38eccf686c562c57251e1366f87430e6.exe	27
PID 1808 wrote to memory of 1756	1808	38eccf686c562c57251e1366f87430e6.exe	27
PID 1808 wrote to memory of 1756	1808	38eccf686c562c57251e1366f87430e6.exe	27

C:\Users\Admin\AppData\Local\Temp\38eccf686c562c57251e1366f87430e6.exe
"C:\Users\Admin\AppData\Local\Temp\38eccf686c562c57251e1366f87430e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\true_update.exe
  "C:\Users\Admin\AppData\Local\Temp\true_update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\true_update.exe

Filesize
24KB

MD5
bf1fc0111af7bac420b633ca80cca24a

SHA1
bc50846097b9db22d785fbaa81ff1d67ed72c2ae

SHA256
52da81bfee087a544603b0ea67cb01616e40f504d681c676e97ed22cd28800e8

SHA512
be7e4f74af39d1498fc7f6ee34c164e5b68c36a38a4cd7f4b7270ca145fdabcf629afcf81b11c0af6ce179ce2933f413071d9d5ca60f39119fe67943bc8292c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\true_update.exe

Filesize
24KB

MD5
bf1fc0111af7bac420b633ca80cca24a

SHA1
bc50846097b9db22d785fbaa81ff1d67ed72c2ae

SHA256
52da81bfee087a544603b0ea67cb01616e40f504d681c676e97ed22cd28800e8

SHA512
be7e4f74af39d1498fc7f6ee34c164e5b68c36a38a4cd7f4b7270ca145fdabcf629afcf81b11c0af6ce179ce2933f413071d9d5ca60f39119fe67943bc8292c7

Download Submit
\Users\Admin\AppData\Local\Temp\true_update.exe

Filesize
24KB

MD5
bf1fc0111af7bac420b633ca80cca24a

SHA1
bc50846097b9db22d785fbaa81ff1d67ed72c2ae

SHA256
52da81bfee087a544603b0ea67cb01616e40f504d681c676e97ed22cd28800e8

SHA512
be7e4f74af39d1498fc7f6ee34c164e5b68c36a38a4cd7f4b7270ca145fdabcf629afcf81b11c0af6ce179ce2933f413071d9d5ca60f39119fe67943bc8292c7

Download Submit
\Users\Admin\AppData\Local\Temp\true_update.exe

Filesize
24KB

MD5
bf1fc0111af7bac420b633ca80cca24a

SHA1
bc50846097b9db22d785fbaa81ff1d67ed72c2ae

SHA256
52da81bfee087a544603b0ea67cb01616e40f504d681c676e97ed22cd28800e8

SHA512
be7e4f74af39d1498fc7f6ee34c164e5b68c36a38a4cd7f4b7270ca145fdabcf629afcf81b11c0af6ce179ce2933f413071d9d5ca60f39119fe67943bc8292c7

Download Submit
\Users\Admin\AppData\Local\Temp\true_update.exe

Filesize
24KB

MD5
bf1fc0111af7bac420b633ca80cca24a

SHA1
bc50846097b9db22d785fbaa81ff1d67ed72c2ae

SHA256
52da81bfee087a544603b0ea67cb01616e40f504d681c676e97ed22cd28800e8

SHA512
be7e4f74af39d1498fc7f6ee34c164e5b68c36a38a4cd7f4b7270ca145fdabcf629afcf81b11c0af6ce179ce2933f413071d9d5ca60f39119fe67943bc8292c7

Download Submit
\Users\Admin\AppData\Local\Temp\true_update.exe

Filesize
24KB

MD5
bf1fc0111af7bac420b633ca80cca24a

SHA1
bc50846097b9db22d785fbaa81ff1d67ed72c2ae

SHA256
52da81bfee087a544603b0ea67cb01616e40f504d681c676e97ed22cd28800e8

SHA512
be7e4f74af39d1498fc7f6ee34c164e5b68c36a38a4cd7f4b7270ca145fdabcf629afcf81b11c0af6ce179ce2933f413071d9d5ca60f39119fe67943bc8292c7

Download Submit
memory/1756-56-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download