ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe
Size

13.9MB
MD5

56f20f3d32fff51243e5c488f7c4643c
SHA1

2437d86f7c1662c83d0cd0b1ce012541eb59deaf
SHA256

ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9
SHA512

1ffbc4213ddc8ff93d4abee9369051c8210476225383c57783a082d0f17a78e8d68b271adf7af7733a840e259c964d81472ae2c64002f8108185dc6a23e617f7
SSDEEP

393216:H6uKvNtMAgYIBQXP9UShQcEfdF7XMqzKK:H6vMQuSGxfXR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1056	INS1DCE.tmp

Loads dropped DLL 2 IoCs

pid	Process
1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe
1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1056	1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe	27
PID 1816 wrote to memory of 1056	1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe	27
PID 1816 wrote to memory of 1056	1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe	27
PID 1816 wrote to memory of 1056	1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe	27
PID 1816 wrote to memory of 1056	1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe	27
PID 1816 wrote to memory of 1056	1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe	27
PID 1816 wrote to memory of 1056	1816	ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe	27

C:\Users\Admin\AppData\Local\Temp\ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe
"C:\Users\Admin\AppData\Local\Temp\ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\INS1DCE.tmp
  C:\Users\Admin\AppData\Local\Temp\INS1DCE.tmp /SL C:\Users\Admin\AppData\Local\Temp\ff632b3a3c7b44807df144afa30f5353715c0c397f661b78f9882e22a9b1b4a9.exe 14589615 68096
  2⤵
  - Executes dropped EXE
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INS1DCE.tmp

Filesize
364KB

MD5
7059f9a01eeb4e9c54552bc6381e267a

SHA1
25a166014d67990363be4cf83317f1f0fc7df6e1

SHA256
e6472478dc5c5a1e4e3315b4ba7e43c66864e8fe437480a34d00489447706cdc

SHA512
c18eb70a9cf6cfc9066c7aa8a83955a67570f9e3e0d576d3dacd1cafc03131a723e2730d6deb24415b8c6d4fefad0b1184dbf8b3b16963f947a431b710e925df

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS1DCE.tmp

Filesize
364KB

MD5
7059f9a01eeb4e9c54552bc6381e267a

SHA1
25a166014d67990363be4cf83317f1f0fc7df6e1

SHA256
e6472478dc5c5a1e4e3315b4ba7e43c66864e8fe437480a34d00489447706cdc

SHA512
c18eb70a9cf6cfc9066c7aa8a83955a67570f9e3e0d576d3dacd1cafc03131a723e2730d6deb24415b8c6d4fefad0b1184dbf8b3b16963f947a431b710e925df

Download Submit
\Users\Admin\AppData\Local\Temp\INS1DCE.tmp

Filesize
364KB

MD5
7059f9a01eeb4e9c54552bc6381e267a

SHA1
25a166014d67990363be4cf83317f1f0fc7df6e1

SHA256
e6472478dc5c5a1e4e3315b4ba7e43c66864e8fe437480a34d00489447706cdc

SHA512
c18eb70a9cf6cfc9066c7aa8a83955a67570f9e3e0d576d3dacd1cafc03131a723e2730d6deb24415b8c6d4fefad0b1184dbf8b3b16963f947a431b710e925df

Download Submit
\Users\Admin\AppData\Local\Temp\INS1DCE.tmp

Filesize
364KB

MD5
7059f9a01eeb4e9c54552bc6381e267a

SHA1
25a166014d67990363be4cf83317f1f0fc7df6e1

SHA256
e6472478dc5c5a1e4e3315b4ba7e43c66864e8fe437480a34d00489447706cdc

SHA512
c18eb70a9cf6cfc9066c7aa8a83955a67570f9e3e0d576d3dacd1cafc03131a723e2730d6deb24415b8c6d4fefad0b1184dbf8b3b16963f947a431b710e925df

Download Submit
memory/1816-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download