eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb

Analysis

max time kernel
129s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 07:59

Target

eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
Size

37KB
MD5

03cd6b1b551f243fa92a816c1e6b3c87
SHA1

3bd4310b99d2114549b99809b2020848dc7ad43f
SHA256

eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb
SHA512

6e24b62ac77e3ac39b0f19c643223ffef46f59cdff93e6b774990648113217d28f86d336bffba416f05cf8ad2a3b40996c1ee0e1499a45ed8eea5c2c7c3941e0
SSDEEP

768:C42I2yadMFCI342H0QNzR8AvNL9U8C4jhB1IgyleJ7mSwlNLjvLOwvf/8WKNQdT:YgCIxUQtR8+NL9U8JjpyY1mfjjvLfMWz

Score

7^/10

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\0E7j2JL.com	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
File opened for modification	C:\Windows\Fonts\0E7j2JL.com	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1276	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe
1276	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82
PID 5072 wrote to memory of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82
PID 5072 wrote to memory of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82
PID 5072 wrote to memory of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82
PID 5072 wrote to memory of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82
PID 5072 wrote to memory of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82
PID 5072 wrote to memory of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82
PID 5072 wrote to memory of 1276	5072	eafeaa0fd63047cd550e138c77d3c387c154b25e7b8256e90ed9561b7e76eabb.exe	82

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2304

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1276-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1276-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1276-136-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1276-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download