ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe
Size

2.0MB
MD5

181bb7769e56cbe3a884eb1e5005f238
SHA1

71654435e74b6c58c3fd4749282dd5ce7a5d2a82
SHA256

ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51
SHA512

cd4616362b60d2ab4c7d61942ec37e05935e00f227354ad23e25d2d7834a66d0b775a888cc9b98f7591abf5e962d60f35a4c1cc287efd5c85e1a5e043112fd1a
SSDEEP

49152:IZdv0AdrztXK6JCUQKTaIaZEVNwypDlOdVe6oTOIqvaECfNhQiSpogmqpnK1E2:sdv7drB66zQTwVayxlO33sTFLQiSpHmL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	is-60L0T.tmp

Loads dropped DLL 3 IoCs

pid	Process
1788	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe
1496	is-60L0T.tmp
1496	is-60L0T.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1496	1788	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	27
PID 1788 wrote to memory of 1496	1788	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	27
PID 1788 wrote to memory of 1496	1788	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	27
PID 1788 wrote to memory of 1496	1788	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	27
PID 1788 wrote to memory of 1496	1788	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	27
PID 1788 wrote to memory of 1496	1788	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	27
PID 1788 wrote to memory of 1496	1788	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	27

C:\Users\Admin\AppData\Local\Temp\ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe
"C:\Users\Admin\AppData\Local\Temp\ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\is-O7QGE.tmp\is-60L0T.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O7QGE.tmp\is-60L0T.tmp" /SL4 $60124 "C:\Users\Admin\AppData\Local\Temp\ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe" 1893544 51200
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-O7QGE.tmp\is-60L0T.tmp

Filesize
640KB

MD5
2f8aef768ccccd1cca5ded7e43fe700c

SHA1
1b3c7fb760365bb734c40c71960adcacfb27a151

SHA256
df73f5b8784ddaa7c7e0360a0e3006ed113f000ea91995ffff7095d80c61640a

SHA512
778bb88061aa681ed1fa88a0a545b6c5fa001b2b0f8326af926a76bb3a8597c2f3957227833c5cb45b0d72f11f3340eddf3b46e8ae3850b2c3613b920fed39bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O7QGE.tmp\is-60L0T.tmp

Filesize
640KB

MD5
2f8aef768ccccd1cca5ded7e43fe700c

SHA1
1b3c7fb760365bb734c40c71960adcacfb27a151

SHA256
df73f5b8784ddaa7c7e0360a0e3006ed113f000ea91995ffff7095d80c61640a

SHA512
778bb88061aa681ed1fa88a0a545b6c5fa001b2b0f8326af926a76bb3a8597c2f3957227833c5cb45b0d72f11f3340eddf3b46e8ae3850b2c3613b920fed39bb

Download Submit
\Users\Admin\AppData\Local\Temp\is-JLRNC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
b05cd5cd1c0968db5766fba7c9b13a69

SHA1
29fa5f9e394704b4ee0bace2b8c17aea2d5769c5

SHA256
6489865bf98963bbdc269d0744492d418882db47962b50264cf9b168ae7a2cc3

SHA512
e7b0d9a1009f3f57106eb2205d53d1580639f29fbf96991754e4d979bb61faf74bd62bac636164cf73381e30a48527792dc9e8c86747491d8b946aa9a0c464dd

Download Submit
\Users\Admin\AppData\Local\Temp\is-JLRNC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
b05cd5cd1c0968db5766fba7c9b13a69

SHA1
29fa5f9e394704b4ee0bace2b8c17aea2d5769c5

SHA256
6489865bf98963bbdc269d0744492d418882db47962b50264cf9b168ae7a2cc3

SHA512
e7b0d9a1009f3f57106eb2205d53d1580639f29fbf96991754e4d979bb61faf74bd62bac636164cf73381e30a48527792dc9e8c86747491d8b946aa9a0c464dd

Download Submit
\Users\Admin\AppData\Local\Temp\is-O7QGE.tmp\is-60L0T.tmp

Filesize
640KB

MD5
2f8aef768ccccd1cca5ded7e43fe700c

SHA1
1b3c7fb760365bb734c40c71960adcacfb27a151

SHA256
df73f5b8784ddaa7c7e0360a0e3006ed113f000ea91995ffff7095d80c61640a

SHA512
778bb88061aa681ed1fa88a0a545b6c5fa001b2b0f8326af926a76bb3a8597c2f3957227833c5cb45b0d72f11f3340eddf3b46e8ae3850b2c3613b920fed39bb

Download Submit
memory/1788-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1788-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1788-63-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1788-64-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download