ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51

Analysis

max time kernel
159s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe
Size

2.0MB
MD5

181bb7769e56cbe3a884eb1e5005f238
SHA1

71654435e74b6c58c3fd4749282dd5ce7a5d2a82
SHA256

ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51
SHA512

cd4616362b60d2ab4c7d61942ec37e05935e00f227354ad23e25d2d7834a66d0b775a888cc9b98f7591abf5e962d60f35a4c1cc287efd5c85e1a5e043112fd1a
SSDEEP

49152:IZdv0AdrztXK6JCUQKTaIaZEVNwypDlOdVe6oTOIqvaECfNhQiSpogmqpnK1E2:sdv7drB66zQTwVayxlO33sTFLQiSpHmL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4132	is-DPO0N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4132	4680	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	81
PID 4680 wrote to memory of 4132	4680	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	81
PID 4680 wrote to memory of 4132	4680	ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe	81

C:\Users\Admin\AppData\Local\Temp\ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe
"C:\Users\Admin\AppData\Local\Temp\ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Users\Admin\AppData\Local\Temp\is-9AE5V.tmp\is-DPO0N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9AE5V.tmp\is-DPO0N.tmp" /SL4 $4005C "C:\Users\Admin\AppData\Local\Temp\ddd33bca13dd4bfbd45bb7d844dd1e3e00f4c23ea0ccf38f33f35b6a20ac6f51.exe" 1893544 51200
  2⤵
  - Executes dropped EXE
  PID:4132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9AE5V.tmp\is-DPO0N.tmp

Filesize
640KB

MD5
2f8aef768ccccd1cca5ded7e43fe700c

SHA1
1b3c7fb760365bb734c40c71960adcacfb27a151

SHA256
df73f5b8784ddaa7c7e0360a0e3006ed113f000ea91995ffff7095d80c61640a

SHA512
778bb88061aa681ed1fa88a0a545b6c5fa001b2b0f8326af926a76bb3a8597c2f3957227833c5cb45b0d72f11f3340eddf3b46e8ae3850b2c3613b920fed39bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9AE5V.tmp\is-DPO0N.tmp

Filesize
640KB

MD5
2f8aef768ccccd1cca5ded7e43fe700c

SHA1
1b3c7fb760365bb734c40c71960adcacfb27a151

SHA256
df73f5b8784ddaa7c7e0360a0e3006ed113f000ea91995ffff7095d80c61640a

SHA512
778bb88061aa681ed1fa88a0a545b6c5fa001b2b0f8326af926a76bb3a8597c2f3957227833c5cb45b0d72f11f3340eddf3b46e8ae3850b2c3613b920fed39bb

Download Submit
memory/4680-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4680-137-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download