5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3

Analysis

max time kernel
152s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3.exe
Size

20KB
MD5

78891f6f2ad9f727df26a8c5a5d35030
SHA1

f97db70c739337a11c415bc4f4ff9672a923f096
SHA256

5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3
SHA512

4492113846e11f918a9541b16ffe95958c046b7c992421fbb3ab5e1816b11ec008e060be9dd1a129fbd1090461f6acd52143ffe7d7a6019d53fc732471aee99a
SSDEEP

192:qytgAeuB2S7FFWlSkABcI+EWL/hTUozHLYWlXZ1M075rRh5NqCG/:qySFpcI5pTUo7LtF2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2024	cchip.exe

Loads dropped DLL 1 IoCs

pid	Process
860	5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2024	860	5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3.exe	27
PID 860 wrote to memory of 2024	860	5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3.exe	27
PID 860 wrote to memory of 2024	860	5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3.exe	27
PID 860 wrote to memory of 2024	860	5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3.exe	27

C:\Users\Admin\AppData\Local\Temp\5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3.exe
"C:\Users\Admin\AppData\Local\Temp\5af99081eb8f2f5700dd72957925078ac98b5efaeb3f0e55bcee295a5254ade3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\cchip.exe
  "C:\Users\Admin\AppData\Local\Temp\cchip.exe"
  2⤵
  - Executes dropped EXE
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cchip.exe

Filesize
20KB

MD5
ed4dd35bfabbbc11a112976c97c2d4db

SHA1
a1e8f57dc611a2d4313f2678c8bd37b9474f860d

SHA256
d45ed366bcb9585d0060fc9542f42a52b051660b0ed87e8f13177d49fc73ee6e

SHA512
237811c1708c5c5df9571338ec8dca9a49ca95d89a5bd7c57f09e52a9e024600e15da2a9e7169e94e63863cdbf94dc10860959b63b2774c07b913728270857a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cchip.exe

Filesize
20KB

MD5
ed4dd35bfabbbc11a112976c97c2d4db

SHA1
a1e8f57dc611a2d4313f2678c8bd37b9474f860d

SHA256
d45ed366bcb9585d0060fc9542f42a52b051660b0ed87e8f13177d49fc73ee6e

SHA512
237811c1708c5c5df9571338ec8dca9a49ca95d89a5bd7c57f09e52a9e024600e15da2a9e7169e94e63863cdbf94dc10860959b63b2774c07b913728270857a6

Download Submit
\Users\Admin\AppData\Local\Temp\cchip.exe

Filesize
20KB

MD5
ed4dd35bfabbbc11a112976c97c2d4db

SHA1
a1e8f57dc611a2d4313f2678c8bd37b9474f860d

SHA256
d45ed366bcb9585d0060fc9542f42a52b051660b0ed87e8f13177d49fc73ee6e

SHA512
237811c1708c5c5df9571338ec8dca9a49ca95d89a5bd7c57f09e52a9e024600e15da2a9e7169e94e63863cdbf94dc10860959b63b2774c07b913728270857a6

Download Submit
memory/860-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download