c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a.exe
Size

196KB
MD5

75ffb1704479588ae90e1898e55f2aa0
SHA1

40469c0e1f45260907f16082cf09399fbc0d0c64
SHA256

c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a
SHA512

bbfd55d8337ee1ebf24d913f88e423c1c793f558ed90f9317d6ebb0ef1abc5586bf4abd3f22f312f4f9ec186959a70000b073eb1fb10529c4d261ceaa7be274f
SSDEEP

3072:mzoGG1d1xs5chHEDS6jq0WWz+LyBhM2U8MZKTlZ1IjbV1rxWggnYsaF4GW+mhKQv:SGNxs5oeS6sWSLZtZeHIbVj4YsaTW5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1520	0c2c7e8590074f2c82b5647f6b6090e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1520	1672	c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a.exe	27
PID 1672 wrote to memory of 1520	1672	c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a.exe	27
PID 1672 wrote to memory of 1520	1672	c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a.exe	27
PID 1672 wrote to memory of 1520	1672	c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a.exe	27

C:\Users\Admin\AppData\Local\Temp\c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a.exe
"C:\Users\Admin\AppData\Local\Temp\c35caae7367b02f27acdb653d6c4b53efdec7445ff1c95a68694d73f47984f8a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\0c2c7e8590074f2c82b5647f6b6090e6.exe
  "C:\Users\Admin\AppData\Local\Temp\0c2c7e8590074f2c82b5647f6b6090e6.exe"
  2⤵
  - Executes dropped EXE
  PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c2c7e8590074f2c82b5647f6b6090e6.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
memory/1520-58-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1672-54-0x000007FEF31B0000-0x000007FEF3BD3000-memory.dmp

Filesize
10.1MB

Download
memory/1672-55-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download