a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14

Analysis

max time kernel
91s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 00:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
Size

64KB
MD5

5b7675d3fa61654610c2275a8d4b0580
SHA1

e6a4d836b517b8677f61b6f2d106022d5b97ae97
SHA256

a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14
SHA512

708f3b36d1ad5369001d0c15eda584c4d4dd3268624617e12eb6a2c477844fd86a9efb76aa8181d716371d11c70e7ca778ebea0d60b2176164cdac3c0899522a
SSDEEP

1536:9SE/8FZkJ2xord29nSe+L6ZtTqI1xt8RddkI5:97kDkJ2+dKSBCt71xt8Rdd

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\K:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\M:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\Q:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\V:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\U:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\G:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\I:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\J:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\L:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\O:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\P:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\S:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\X:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\Z:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\B:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\H:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\R:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\Y:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\E:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\F:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\N:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\T:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened (read-only)	\??\W:	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\CredentialUIBroker.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\dpnsvr.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\help.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\iscsicpl.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\unregmp2.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\wscadminui.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\powercfg.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\SettingSyncHost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\TpmTool.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\PresentationHost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ByteCodeGenerator.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\makecab.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\mobsync.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\pcaui.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\rasautou.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\Robocopy.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\fsquirt.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\LaunchWinApp.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\sxstrace.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\wextract.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\InputSwitchToastHandler.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\gpupdate.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\colorcpl.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\PING.EXE	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\recover.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\SyncHost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\comp.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\dcomcnfg.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\rasphone.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\WWAHost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\backgroundTaskHost.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\SysWOW64\expand.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winhlp32.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\write.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\bfsvc.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\explorer.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\HelpPane.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\hh.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\notepad.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
File opened for modification	C:\Windows\splwow64.exe	a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe
"C:\Users\Admin\AppData\Local\Temp\a5ed07684ce215b9cf1481c7088f401faa251fdd2c9422dc854279f3b8853a14.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4832-132-0x0000000001000000-0x0000000001012B00-memory.dmp

Filesize
74KB

Download
memory/4832-133-0x0000000001000000-0x0000000001012B00-memory.dmp

Filesize
74KB

Download
memory/4832-134-0x0000000001000000-0x0000000001012B00-memory.dmp

Filesize
74KB

Download