e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb

Analysis

max time kernel
47s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe
Size

152KB
MD5

56bc0e6b26bd889b1864b242e8e830a0
SHA1

5a706a68fd8f67ebd56cca1f6cc1bbdef6b47afa
SHA256

e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb
SHA512

f01a511e8fd9fc95959ef7dd3ef369a1d0b013543e189876697ef2045804a9ab0c135dc5187ebb9100f819670e8395e9e3308d5ca837a287ea1ecd7537cdbeeb
SSDEEP

3072:jbhBhlcIxu9WxT0VHUxCCiUzv/RqBuJxT0VHnMmhHXw:RM7HU7xwHnj2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2020	017858.exe

Loads dropped DLL 3 IoCs

pid	Process
1252	e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe
1252	e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe
1252	e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2020	1252	e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe	28
PID 1252 wrote to memory of 2020	1252	e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe	28
PID 1252 wrote to memory of 2020	1252	e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe	28
PID 1252 wrote to memory of 2020	1252	e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe	28

C:\Users\Admin\AppData\Local\Temp\e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe
"C:\Users\Admin\AppData\Local\Temp\e8a4d654331cbe149fc1216a9ad77b0df42080567ab9548f533811b75564a4eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Roaming\00A520\017858.exe
  "C:\Users\Admin\AppData\Roaming\00A520\017858.exe" -launcher
  2⤵
  - Executes dropped EXE
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\00A520\017858.exe

Filesize
107KB

MD5
e2a144637fe481358bf61e46fc9e0c8d

SHA1
4ad36a8444557d248d79b6ecf486c213a1762048

SHA256
a4a7601cc9a1530edfa9dfa8aaed77508cb089c35f180ff1e960167d2425f3cd

SHA512
8613c06ee5319a2d812f6a882f95bcfa4c791c7c7050a87b218db92283600b732dd31e3bf83961ad8d119ade3052664b93dbe0a94b19d8e3f80982e10dd06a75

Download Submit
C:\Users\Admin\AppData\Roaming\00A520\017858.exe

Filesize
107KB

MD5
e2a144637fe481358bf61e46fc9e0c8d

SHA1
4ad36a8444557d248d79b6ecf486c213a1762048

SHA256
a4a7601cc9a1530edfa9dfa8aaed77508cb089c35f180ff1e960167d2425f3cd

SHA512
8613c06ee5319a2d812f6a882f95bcfa4c791c7c7050a87b218db92283600b732dd31e3bf83961ad8d119ade3052664b93dbe0a94b19d8e3f80982e10dd06a75

Download Submit
\Users\Admin\AppData\Roaming\00A520\017858.exe

Filesize
107KB

MD5
e2a144637fe481358bf61e46fc9e0c8d

SHA1
4ad36a8444557d248d79b6ecf486c213a1762048

SHA256
a4a7601cc9a1530edfa9dfa8aaed77508cb089c35f180ff1e960167d2425f3cd

SHA512
8613c06ee5319a2d812f6a882f95bcfa4c791c7c7050a87b218db92283600b732dd31e3bf83961ad8d119ade3052664b93dbe0a94b19d8e3f80982e10dd06a75

Download Submit
\Users\Admin\AppData\Roaming\00A520\017858.exe

Filesize
107KB

MD5
e2a144637fe481358bf61e46fc9e0c8d

SHA1
4ad36a8444557d248d79b6ecf486c213a1762048

SHA256
a4a7601cc9a1530edfa9dfa8aaed77508cb089c35f180ff1e960167d2425f3cd

SHA512
8613c06ee5319a2d812f6a882f95bcfa4c791c7c7050a87b218db92283600b732dd31e3bf83961ad8d119ade3052664b93dbe0a94b19d8e3f80982e10dd06a75

Download Submit
\Users\Admin\AppData\Roaming\00A520\017858.exe

Filesize
107KB

MD5
e2a144637fe481358bf61e46fc9e0c8d

SHA1
4ad36a8444557d248d79b6ecf486c213a1762048

SHA256
a4a7601cc9a1530edfa9dfa8aaed77508cb089c35f180ff1e960167d2425f3cd

SHA512
8613c06ee5319a2d812f6a882f95bcfa4c791c7c7050a87b218db92283600b732dd31e3bf83961ad8d119ade3052664b93dbe0a94b19d8e3f80982e10dd06a75

Download Submit
memory/1252-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download