ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5

Analysis

max time kernel
36s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 05:04 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe
Size

28KB
MD5

7cd3fa5c8d3c3730dd7cfd13649e6ee9
SHA1

9127b742ee66a055709e348d8934b0c04409a7cc
SHA256

ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5
SHA512

d5caaa22de36a8e119f16d96a196147065ce7efa7b7dc0bf38ba2731de0599ea9c38cd5ee4ecadcb3f9e261f6c01678a9d3abf5cd52542d8550d69ada7d62eef
SSDEEP

384:/TNUFewBPnrm+zmD+aC+EA33nDQKXhFlzQKXCFlmEvJrIRtDr4EYs81fp:/oPybiqXDQKQMEviTsEA1f

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 892	1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe	27
PID 1476 wrote to memory of 892	1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe	27
PID 1476 wrote to memory of 892	1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe	27
PID 1476 wrote to memory of 892	1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe	27
PID 892 wrote to memory of 1940	892	cmd.exe	29
PID 892 wrote to memory of 1940	892	cmd.exe	29
PID 892 wrote to memory of 1940	892	cmd.exe	29
PID 892 wrote to memory of 1940	892	cmd.exe	29
PID 1476 wrote to memory of 840	1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe	30
PID 1476 wrote to memory of 840	1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe	30
PID 1476 wrote to memory of 840	1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe	30
PID 1476 wrote to memory of 840	1476	ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe	30
PID 840 wrote to memory of 1096	840	cmd.exe	32
PID 840 wrote to memory of 1096	840	cmd.exe	32
PID 840 wrote to memory of 1096	840	cmd.exe	32
PID 840 wrote to memory of 1096	840	cmd.exe	32

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1096	attrib.exe
1940	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe
"C:\Users\Admin\AppData\Local\Temp\ed440cbe1c8f604cc3595b91d0c442148e51dcff578f216237b2a626fc7df3f5.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SE.bat" 0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r C:\Windows\system32\drivers\etc\hosts
    3⤵
    - Views/modifies file attributes
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SL.bat" 0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r C:\Windows\system32\drivers\etc\hosts
    3⤵
    - Views/modifies file attributes
    PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SE.bat

Filesize
49B

MD5
d013cc282f8c7dd36aa46b9db97f14ca

SHA1
1d6d23a62127302e4a6409aaa45902186bccf552

SHA256
46eec18440b6879e3271fb55049330c6c33a89131a0d4bd57631e4633d1d59d0

SHA512
c171985b9aa7dcb19590e5c40c4512a02776afb67abfc1b984112a5ce6e3a0ad6db61ea3851dbf2b6f5f0ad0495b4b9c33015bfc68a9bb16b46c40c6363705e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SL.bat

Filesize
49B

MD5
e271e0a233b644da15be208de2a9aae1

SHA1
732d068d81bcdf50709be42245264e3c0b7670e8

SHA256
19951fc879d9c1ca5b53d0451539ec2e5bbdaa6cc3dada46194aded4cc1b8054

SHA512
edc34083fadcdc9d1b78696b60faa40f75ef7f0f53ee1cd523b87005267f217d00171a13ae9308c42efdaf19e90c1d6526342ceb9a4dedefeeb0d59f2b5f0473

Download Submit
memory/1476-54-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1476-57-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1476-61-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1476-65-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.