5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87

Analysis

max time kernel
137s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe
Size

522KB
MD5

65deb566dc3cde76e2853927782c70e9
SHA1

61cb80d9b8125938d4584bfb55113759cded8d73
SHA256

5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87
SHA512

021f552975b5b1bbf4a23e2450b04be1723e5c22024d279c1e58f74ac757a0e64b5fca69c116fcfc048172f910af1ae79e38dfb4fb79921e428a580feb6f329d
SSDEEP

12288:1WWzzfSS7RjIARpEAWngrGMQwcgGbFuNFNfx7sOQHQoShaEszj:tRjIAMZMPGbSfNK73

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4812-132-0x0000000000400000-0x00000000004FB000-memory.dmp	upx
behavioral2/memory/4812-136-0x0000000000400000-0x00000000004FB000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4812-132-0x0000000000400000-0x00000000004FB000-memory.dmp	autoit_exe
behavioral2/memory/4812-136-0x0000000000400000-0x00000000004FB000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4812 set thread context of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82
PID 4812 wrote to memory of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82
PID 4812 wrote to memory of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82
PID 4812 wrote to memory of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82
PID 4812 wrote to memory of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82
PID 4812 wrote to memory of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82
PID 4812 wrote to memory of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82
PID 4812 wrote to memory of 408	4812	5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe	82

C:\Users\Admin\AppData\Local\Temp\5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe
"C:\Users\Admin\AppData\Local\Temp\5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe
  "C:\Users\Admin\AppData\Local\Temp\5ffd5d224d13f346eaf6e9ce30f463004088de59212b3617aca9e11bae26dd87.exe"
  2⤵
  PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/408-133-0x0000000000000000-mapping.dmp

Download
memory/408-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/408-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4812-132-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4812-136-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download