45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063

Analysis

max time kernel
45s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 02:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe
Size

115KB
MD5

6b048a876984621cdadf454e787322de
SHA1

d0e5107c26986e35bc249b72d7b4655b0fb4d7d8
SHA256

45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063
SHA512

b77bcb3857f96c949873bcb08ee4e3d427f0d8160de78d30fbd729a8f4f69ffec6f2bc82cf73338c2b1ea4282e7cc0f4e3db005acd5ccd8da89a78beac1adcfb
SSDEEP

3072:RbGyJgGlL/WE4TDdlr4fd5URvdvIBseZanZnL:5GyJ76E4wUJdQieZ2

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
900	45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000142c0-56.dat	upx
behavioral1/files/0x00070000000142c0-55.dat	upx
behavioral1/memory/1564-59-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x00070000000142c0-58.dat	upx
behavioral1/files/0x00070000000142c0-61.dat	upx
behavioral1/memory/900-62-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1564	45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe
1564	45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 900	1564	45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe	26
PID 1564 wrote to memory of 900	1564	45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe	26
PID 1564 wrote to memory of 900	1564	45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe	26
PID 1564 wrote to memory of 900	1564	45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe	26

C:\Users\Admin\AppData\Local\Temp\45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe
"C:\Users\Admin\AppData\Local\Temp\45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\Temp\MT\45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe
  "C:\Windows\Temp\MT\45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe"
  2⤵
  - Executes dropped EXE
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\MT\45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe

Filesize
85KB

MD5
99bd3dd4995d8f14b257fd05416e68cb

SHA1
ac04af9bd59070bdd508bffc00569f664c81301d

SHA256
bacda91e667d13db138b1377c02033f10a7ec80845d2a68edb299e59c0c51c08

SHA512
3abc52e772d4cb9e75bb6e3aa9ffa7264551c462e5832c269df502fa94a09af3b89672b038f05a53553d986e80938527f186e4787ee630259c6e4218dccbb585

Download Submit
C:\Windows\Temp\MT\45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe

Filesize
85KB

MD5
99bd3dd4995d8f14b257fd05416e68cb

SHA1
ac04af9bd59070bdd508bffc00569f664c81301d

SHA256
bacda91e667d13db138b1377c02033f10a7ec80845d2a68edb299e59c0c51c08

SHA512
3abc52e772d4cb9e75bb6e3aa9ffa7264551c462e5832c269df502fa94a09af3b89672b038f05a53553d986e80938527f186e4787ee630259c6e4218dccbb585

Download Submit
\Windows\Temp\MT\45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe

Filesize
85KB

MD5
99bd3dd4995d8f14b257fd05416e68cb

SHA1
ac04af9bd59070bdd508bffc00569f664c81301d

SHA256
bacda91e667d13db138b1377c02033f10a7ec80845d2a68edb299e59c0c51c08

SHA512
3abc52e772d4cb9e75bb6e3aa9ffa7264551c462e5832c269df502fa94a09af3b89672b038f05a53553d986e80938527f186e4787ee630259c6e4218dccbb585

Download Submit
\Windows\Temp\MT\45ceb2ef6be98084698407b4472efbe2a097adb6a884c95fa762214b3125a063.exe

Filesize
85KB

MD5
99bd3dd4995d8f14b257fd05416e68cb

SHA1
ac04af9bd59070bdd508bffc00569f664c81301d

SHA256
bacda91e667d13db138b1377c02033f10a7ec80845d2a68edb299e59c0c51c08

SHA512
3abc52e772d4cb9e75bb6e3aa9ffa7264551c462e5832c269df502fa94a09af3b89672b038f05a53553d986e80938527f186e4787ee630259c6e4218dccbb585

Download Submit
memory/900-62-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1564-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1564-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download