bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe
Size

24KB
MD5

2213f440ce4b43e3d19959f4bdfd6500
SHA1

a5701c3939f4c459d09649ee9646054ecceba724
SHA256

bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44
SHA512

184bdc61ec762035a81dfa6bfe46583a8e05c81798d331a6298c6292b576dbc19a20caf5be81d206d124d5835064179db5bc1f89808f8a50ead3bc34e343105b
SSDEEP

384:bXvr/G9K/aASCjr8bfCmIyCl/wI0/1YTrfjkC+I3K:b/zG9lCapIyMdnfjMI6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	hots.exe

Loads dropped DLL 2 IoCs

pid	Process
1764	bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe
1764	bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1764	bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe
1992	hots.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1992	1764	bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe	26
PID 1764 wrote to memory of 1992	1764	bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe	26
PID 1764 wrote to memory of 1992	1764	bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe	26
PID 1764 wrote to memory of 1992	1764	bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe	26

C:\Users\Admin\AppData\Local\Temp\bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe
"C:\Users\Admin\AppData\Local\Temp\bc32e0a1b8df040f6fc8ef4386315d8a137e78b65d1aca90ecbcc1115d6a1c44.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\hots.exe
  "C:\Users\Admin\AppData\Local\Temp\hots.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hots.exe

Filesize
24KB

MD5
4f92fe5b8c9b051ded2db041115f21b7

SHA1
2795f0983765391572ab1952408e4e4ae77bd2f0

SHA256
3eec46cad72281001bbd36b4a9102e45c5bcb9ada94ff6d0327f5d954fdd1fd2

SHA512
2e5494a5ca757c90a27dfd0bf5d7a9909ae11ab800ced28ede82a583bd36093852a202e66de7b48a3f9149f4158acabd8824c4b5862ea1b5cde48fae0b8b92e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hots.exe

Filesize
24KB

MD5
4f92fe5b8c9b051ded2db041115f21b7

SHA1
2795f0983765391572ab1952408e4e4ae77bd2f0

SHA256
3eec46cad72281001bbd36b4a9102e45c5bcb9ada94ff6d0327f5d954fdd1fd2

SHA512
2e5494a5ca757c90a27dfd0bf5d7a9909ae11ab800ced28ede82a583bd36093852a202e66de7b48a3f9149f4158acabd8824c4b5862ea1b5cde48fae0b8b92e1

Download Submit
\Users\Admin\AppData\Local\Temp\hots.exe

Filesize
24KB

MD5
4f92fe5b8c9b051ded2db041115f21b7

SHA1
2795f0983765391572ab1952408e4e4ae77bd2f0

SHA256
3eec46cad72281001bbd36b4a9102e45c5bcb9ada94ff6d0327f5d954fdd1fd2

SHA512
2e5494a5ca757c90a27dfd0bf5d7a9909ae11ab800ced28ede82a583bd36093852a202e66de7b48a3f9149f4158acabd8824c4b5862ea1b5cde48fae0b8b92e1

Download Submit
\Users\Admin\AppData\Local\Temp\hots.exe

Filesize
24KB

MD5
4f92fe5b8c9b051ded2db041115f21b7

SHA1
2795f0983765391572ab1952408e4e4ae77bd2f0

SHA256
3eec46cad72281001bbd36b4a9102e45c5bcb9ada94ff6d0327f5d954fdd1fd2

SHA512
2e5494a5ca757c90a27dfd0bf5d7a9909ae11ab800ced28ede82a583bd36093852a202e66de7b48a3f9149f4158acabd8824c4b5862ea1b5cde48fae0b8b92e1

Download Submit
memory/1764-54-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1764-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1764-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1764-57-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1992-66-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download