4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b

Analysis

max time kernel
52s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18/09/2022, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
Size

6.9MB
MD5

2f3269895b05efeae50626c3d0d8d25d
SHA1

9981f5834f7642a97e42428af22481ed6b07d028
SHA256

4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b
SHA512

a185f1d0ff37f4715f605f6aa788a21ad50e2973fd7b6e5a92b6e33b29f61b80a4b0d0efd1553910d9b901a89d39240e828e57764027677d2099b482fec44585
SSDEEP

196608:tuCBzF9onJ5hrZERMB2WZufOuD9L9kKyPhVkXJmzCb0:zp9c5hlERo2WmfDZ58VkZF

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 4972	2896	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe	68
PID 2896 wrote to memory of 4972	2896	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe	68
PID 4972 wrote to memory of 4736	4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe	69
PID 4972 wrote to memory of 4736	4972	4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe	69

C:\Users\Admin\AppData\Local\Temp\4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
"C:\Users\Admin\AppData\Local\Temp\4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe
  "C:\Users\Admin\AppData\Local\Temp\4f8396b896a00426203c0a0c50754536dc4fc715b96d7f6125094d2632331b2b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\open.bat" "
    3⤵
    PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28962\GenerateKeyResult.exe.manifest

Filesize
1KB

MD5
9f5a660ea29e02d6d98b7df8f3809d3e

SHA1
ee60e3cd56b8b76d193a4bb877550bbbbd0967dc

SHA256
ec11d26cd5b2def850a522cbeb6f75bacd6ae892be472f9215c65b2df13e975c

SHA512
1b82527c80c03924af75285f801a99992d8cbce8cd7e541c8f1cd12c1901c272d307d15b927e4069f37a92f743a29897d2c148d079abf47d9ccb5ebfd0190d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_ctypes.pyd

Filesize
123KB

MD5
4d13a7b3ecc8c7dc96a0424c465d7251

SHA1
0c72f7259ac9108d956aede40b6fcdf3a3943cb5

SHA256
2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed

SHA512
68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_socket.pyd

Filesize
77KB

MD5
eb974aeda30d7478bb800bb4c5fbc0a2

SHA1
c5b7bc326bd003d42bcf620d657cac3f46f9d566

SHA256
1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016

SHA512
f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\base_library.zip

Filesize
762KB

MD5
740584045f8e83bd00109582ec779c2e

SHA1
e28fa6c67cb4bf1c359b40777b3ca7ec3413c345

SHA256
bac2807a38037541e2db8867a599a6ee24a5487075d791ba826162ef74448064

SHA512
2a5911c1023f7294c11d0ffd02df9794a866544ceb515827b426b5bfd6d69af2551e4cfde13f64cad434dd917a3d4a1678a9138dca9a866be07506509f626991

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\python38.dll

Filesize
4.0MB

MD5
3cd1e87aeb3d0037d52c8e51030e1084

SHA1
49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af

SHA256
13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8

SHA512
497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\select.pyd

Filesize
26KB

MD5
08b499ae297c5579ba05ea87c31aff5b

SHA1
4a1a9f1bf41c284e9c5a822f7d018f8edc461422

SHA256
940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281

SHA512
ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\ucrtbase.dll

Filesize
971KB

MD5
1eb17f650462eea820f4cd727d2d3ab1

SHA1
688f59160589ffa293502bffcd5c0e62e1993903

SHA256
24968e69daf49f58e812ada3e4cb24a66d6fb9ef14fc211538dd992b08ed1c3b

SHA512
4b2fd6f202d2c697d10e0a2751ec05128071c7a3f1296c9f41fdbf07b334d8eb48dad674d91150966e0ea925c8e2aeceff904bb3d055989de2e1f94dd7d4bf18

Download Submit
C:\Users\Admin\AppData\Local\Temp\open.bat

Filesize
28B

MD5
efa545f38fcdc1aafefba33277f8417a

SHA1
3eb5ef395969f864244c0758cb843b44fde5a825

SHA256
313c5b62374789e0f547b25f8f54e59f8a4bdd664778d09bb371cb819b01d0a3

SHA512
2f7690d9f6f18c7d43c4866b05a2362959a3a165a39d3fdcf59fed39f5b2e19c2130fba10a211b48353658ae6e7b1339643bb375c0a5a0dce8f722808883d694

Download Submit
C:\Users\Admin\AppData\Local\Temp\result.txt

Filesize
101B

MD5
65c98d7300f3efca265435d7a22421ec

SHA1
8be476e61379c6a9ad46baf8e9b8acf196c9ca03

SHA256
506c29b004f89a1dcf086624553c9771229b2aa1e5da7ced809f2440d34f3ccc

SHA512
a310ee74bdcc2b7ed089a831075d328ed069451fbc0b2aef3f29c4e0b4eb5796c15fa7b18f41bcad69f273a28d863c5e57ac40710aa1a8fef2b82b9a739871a9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28962\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28962\_ctypes.pyd

Filesize
123KB

MD5
4d13a7b3ecc8c7dc96a0424c465d7251

SHA1
0c72f7259ac9108d956aede40b6fcdf3a3943cb5

SHA256
2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed

SHA512
68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28962\_socket.pyd

Filesize
77KB

MD5
eb974aeda30d7478bb800bb4c5fbc0a2

SHA1
c5b7bc326bd003d42bcf620d657cac3f46f9d566

SHA256
1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016

SHA512
f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28962\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28962\python38.dll

Filesize
4.0MB

MD5
3cd1e87aeb3d0037d52c8e51030e1084

SHA1
49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af

SHA256
13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8

SHA512
497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28962\select.pyd

Filesize
26KB

MD5
08b499ae297c5579ba05ea87c31aff5b

SHA1
4a1a9f1bf41c284e9c5a822f7d018f8edc461422

SHA256
940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281

SHA512
ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28962\ucrtbase.dll

Filesize
971KB

MD5
1eb17f650462eea820f4cd727d2d3ab1

SHA1
688f59160589ffa293502bffcd5c0e62e1993903

SHA256
24968e69daf49f58e812ada3e4cb24a66d6fb9ef14fc211538dd992b08ed1c3b

SHA512
4b2fd6f202d2c697d10e0a2751ec05128071c7a3f1296c9f41fdbf07b334d8eb48dad674d91150966e0ea925c8e2aeceff904bb3d055989de2e1f94dd7d4bf18

Download Submit