8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f

Analysis

max time kernel
30s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
Size

383KB
MD5

f933bf16ab327dde3bbd1edf8904ca24
SHA1

80fffd5994081d4e448b316313fb6ba02403c449
SHA256

8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f
SHA512

a3ad122a2eae7e824723a42a153c7e2c4421dd24804ec262f68c66c074a4e548ec2d6fd3c4909493e24fd3cf37ffe55048459199c85ef491a89297254d8678c0
SSDEEP

6144:rs84tsv9slNSxY2Nc2EzpTPPy4AbE47WfA8RwpEP4h:rf4tu9slNSq2N7a9LmEjIma

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1456	notepad.exe
1784	calc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001267a-63.dat	upx
behavioral1/files/0x000900000001267a-64.dat	upx
behavioral1/files/0x000900000001267a-65.dat	upx
behavioral1/files/0x000900000001267a-66.dat	upx
behavioral1/files/0x000900000001267a-70.dat	upx
behavioral1/files/0x000900000001267a-67.dat	upx
behavioral1/memory/1784-72-0x0000000001000000-0x0000000001028000-memory.dmp	upx

Loads dropped DLL 10 IoCs

pid	Process
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1456	876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe	28
PID 876 wrote to memory of 1456	876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe	28
PID 876 wrote to memory of 1456	876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe	28
PID 876 wrote to memory of 1456	876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe	28
PID 876 wrote to memory of 1784	876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe	29
PID 876 wrote to memory of 1784	876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe	29
PID 876 wrote to memory of 1784	876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe	29
PID 876 wrote to memory of 1784	876	8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe	29

C:\Users\Admin\AppData\Local\Temp\8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe
"C:\Users\Admin\AppData\Local\Temp\8ed18a0272266f61bf46450dcc91262732171649239ec138b00e4fa96168314f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\Desktop\notepad.exe
  "C:\Users\Admin\Desktop\notepad.exe"
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Users\Admin\Desktop\calc.exe
  "C:\Users\Admin\Desktop\calc.exe"
  2⤵
  - Executes dropped EXE
  PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\calc.exe

Filesize
56KB

MD5
e600b4d8d232484f43d7942a475b5709

SHA1
c053b63428fd9618593691b8e9c2f5a885631ece

SHA256
a3a7c8b877e44904cc3855802cee5432f0b1ea53dc37ef9d5d9ef63e06b9f187

SHA512
d16a039682385200b9b0a53e1b9a13f619a33b3e6e7d3fab5c8040daf541ee464219b750f47f5c77496d386f2b359e6a8b776ab2ee295cc1e42fd8c788115be7

Download Submit
C:\Users\Admin\Desktop\notepad.exe

Filesize
69KB

MD5
8aec89c7cc076ed378baa4dab7cb09e2

SHA1
caf84e588017a7098561a62e291dfa1a4f01db73

SHA256
f605009a245a5a1b6351f980f6d7d409e521dd33c1a528c4241d32b09a79fd10

SHA512
a7abb018d1d039e74ae846c36f5fb3e1a68a1a224387c386f86bc7770318c3478c26ef1779fe30e56654bfee4f271663bac29a22c06e7fc77c8c85a37f6886cb

Download Submit
\Users\Admin\Desktop\calc.exe

Filesize
56KB

MD5
e600b4d8d232484f43d7942a475b5709

SHA1
c053b63428fd9618593691b8e9c2f5a885631ece

SHA256
a3a7c8b877e44904cc3855802cee5432f0b1ea53dc37ef9d5d9ef63e06b9f187

SHA512
d16a039682385200b9b0a53e1b9a13f619a33b3e6e7d3fab5c8040daf541ee464219b750f47f5c77496d386f2b359e6a8b776ab2ee295cc1e42fd8c788115be7

Download Submit
\Users\Admin\Desktop\calc.exe

Filesize
56KB

MD5
e600b4d8d232484f43d7942a475b5709

SHA1
c053b63428fd9618593691b8e9c2f5a885631ece

SHA256
a3a7c8b877e44904cc3855802cee5432f0b1ea53dc37ef9d5d9ef63e06b9f187

SHA512
d16a039682385200b9b0a53e1b9a13f619a33b3e6e7d3fab5c8040daf541ee464219b750f47f5c77496d386f2b359e6a8b776ab2ee295cc1e42fd8c788115be7

Download Submit
\Users\Admin\Desktop\calc.exe

Filesize
56KB

MD5
e600b4d8d232484f43d7942a475b5709

SHA1
c053b63428fd9618593691b8e9c2f5a885631ece

SHA256
a3a7c8b877e44904cc3855802cee5432f0b1ea53dc37ef9d5d9ef63e06b9f187

SHA512
d16a039682385200b9b0a53e1b9a13f619a33b3e6e7d3fab5c8040daf541ee464219b750f47f5c77496d386f2b359e6a8b776ab2ee295cc1e42fd8c788115be7

Download Submit
\Users\Admin\Desktop\calc.exe

Filesize
56KB

MD5
e600b4d8d232484f43d7942a475b5709

SHA1
c053b63428fd9618593691b8e9c2f5a885631ece

SHA256
a3a7c8b877e44904cc3855802cee5432f0b1ea53dc37ef9d5d9ef63e06b9f187

SHA512
d16a039682385200b9b0a53e1b9a13f619a33b3e6e7d3fab5c8040daf541ee464219b750f47f5c77496d386f2b359e6a8b776ab2ee295cc1e42fd8c788115be7

Download Submit
\Users\Admin\Desktop\calc.exe

Filesize
56KB

MD5
e600b4d8d232484f43d7942a475b5709

SHA1
c053b63428fd9618593691b8e9c2f5a885631ece

SHA256
a3a7c8b877e44904cc3855802cee5432f0b1ea53dc37ef9d5d9ef63e06b9f187

SHA512
d16a039682385200b9b0a53e1b9a13f619a33b3e6e7d3fab5c8040daf541ee464219b750f47f5c77496d386f2b359e6a8b776ab2ee295cc1e42fd8c788115be7

Download Submit
\Users\Admin\Desktop\notepad.exe

Filesize
69KB

MD5
8aec89c7cc076ed378baa4dab7cb09e2

SHA1
caf84e588017a7098561a62e291dfa1a4f01db73

SHA256
f605009a245a5a1b6351f980f6d7d409e521dd33c1a528c4241d32b09a79fd10

SHA512
a7abb018d1d039e74ae846c36f5fb3e1a68a1a224387c386f86bc7770318c3478c26ef1779fe30e56654bfee4f271663bac29a22c06e7fc77c8c85a37f6886cb

Download Submit
\Users\Admin\Desktop\notepad.exe

Filesize
69KB

MD5
8aec89c7cc076ed378baa4dab7cb09e2

SHA1
caf84e588017a7098561a62e291dfa1a4f01db73

SHA256
f605009a245a5a1b6351f980f6d7d409e521dd33c1a528c4241d32b09a79fd10

SHA512
a7abb018d1d039e74ae846c36f5fb3e1a68a1a224387c386f86bc7770318c3478c26ef1779fe30e56654bfee4f271663bac29a22c06e7fc77c8c85a37f6886cb

Download Submit
\Users\Admin\Desktop\notepad.exe

Filesize
69KB

MD5
8aec89c7cc076ed378baa4dab7cb09e2

SHA1
caf84e588017a7098561a62e291dfa1a4f01db73

SHA256
f605009a245a5a1b6351f980f6d7d409e521dd33c1a528c4241d32b09a79fd10

SHA512
a7abb018d1d039e74ae846c36f5fb3e1a68a1a224387c386f86bc7770318c3478c26ef1779fe30e56654bfee4f271663bac29a22c06e7fc77c8c85a37f6886cb

Download Submit
\Users\Admin\Desktop\notepad.exe

Filesize
69KB

MD5
8aec89c7cc076ed378baa4dab7cb09e2

SHA1
caf84e588017a7098561a62e291dfa1a4f01db73

SHA256
f605009a245a5a1b6351f980f6d7d409e521dd33c1a528c4241d32b09a79fd10

SHA512
a7abb018d1d039e74ae846c36f5fb3e1a68a1a224387c386f86bc7770318c3478c26ef1779fe30e56654bfee4f271663bac29a22c06e7fc77c8c85a37f6886cb

Download Submit
\Users\Admin\Desktop\notepad.exe

Filesize
69KB

MD5
8aec89c7cc076ed378baa4dab7cb09e2

SHA1
caf84e588017a7098561a62e291dfa1a4f01db73

SHA256
f605009a245a5a1b6351f980f6d7d409e521dd33c1a528c4241d32b09a79fd10

SHA512
a7abb018d1d039e74ae846c36f5fb3e1a68a1a224387c386f86bc7770318c3478c26ef1779fe30e56654bfee4f271663bac29a22c06e7fc77c8c85a37f6886cb

Download Submit
memory/876-69-0x0000000000480000-0x00000000004A8000-memory.dmp

Filesize
160KB

Download
memory/876-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1456-60-0x0000000000000000-mapping.dmp

Download
memory/1784-68-0x0000000000000000-mapping.dmp

Download
memory/1784-72-0x0000000001000000-0x0000000001028000-memory.dmp

Filesize
160KB

Download