83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c

Analysis

max time kernel
33s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe
Size

132KB
MD5

0ef7aa7536d79eed157464cb30ebe2b0
SHA1

c3ceae4c8f758a39df7602dc38ae1ebbe802f9c2
SHA256

83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c
SHA512

0cbc89bac9c058de78182d2973c52616bf8ae28b23e3e1507416981871a4e7870eed62f0d9edc4f50c362d2545bb32974c6409274242723cf4f9b17eb2b8680d
SSDEEP

3072:SBHWlZjf0IeT0r7DhHzIXcgix//3ObFkDn4WyNVbWkmZQFZ1m326:oHqh0IpDdHg6HSSnEJI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
840	mma.exe

Loads dropped DLL 3 IoCs

pid	Process
2024	83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe
2024	83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe
840	mma.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\P2P_API.dll	mma.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\mma.dll	83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 840	2024	83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe	26
PID 2024 wrote to memory of 840	2024	83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe	26
PID 2024 wrote to memory of 840	2024	83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe	26
PID 2024 wrote to memory of 840	2024	83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe	26
PID 840 wrote to memory of 1284	840	mma.exe	14
PID 840 wrote to memory of 1284	840	mma.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe
  "C:\Users\Admin\AppData\Local\Temp\83635be61ecf0234ed2fe962277662de18979fd17e78598c34f958bf55a8691c.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\mma.exe
    "C:\Users\Admin\AppData\Local\Temp\mma.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mma.exe

Filesize
38KB

MD5
be35303b57c9b4ba14a4d4c5875b4477

SHA1
67bb1699c0ef26dd44e330168841ac74c895c9fb

SHA256
fec01a783fd677f5c0b81f084e3f6804d10a74153486dfcb58279ee4fea89ccb

SHA512
02900d41287b30f864a0f8515a846bbbfbaaf344ab605c69e3fabf76da258f92d1642b4f950486cedb0590fb07880d67c24fbca2de7d7e0b8869a21ff26cb110

Download Submit
\Users\Admin\AppData\Local\Temp\mma.exe

Filesize
38KB

MD5
be35303b57c9b4ba14a4d4c5875b4477

SHA1
67bb1699c0ef26dd44e330168841ac74c895c9fb

SHA256
fec01a783fd677f5c0b81f084e3f6804d10a74153486dfcb58279ee4fea89ccb

SHA512
02900d41287b30f864a0f8515a846bbbfbaaf344ab605c69e3fabf76da258f92d1642b4f950486cedb0590fb07880d67c24fbca2de7d7e0b8869a21ff26cb110

Download Submit
\Users\Admin\AppData\Local\Temp\mma.exe

Filesize
38KB

MD5
be35303b57c9b4ba14a4d4c5875b4477

SHA1
67bb1699c0ef26dd44e330168841ac74c895c9fb

SHA256
fec01a783fd677f5c0b81f084e3f6804d10a74153486dfcb58279ee4fea89ccb

SHA512
02900d41287b30f864a0f8515a846bbbfbaaf344ab605c69e3fabf76da258f92d1642b4f950486cedb0590fb07880d67c24fbca2de7d7e0b8869a21ff26cb110

Download Submit
\Windows\SysWOW64\P2P_API.dll

Filesize
34KB

MD5
1659b35a41cae71e3c5d949bab2c7192

SHA1
f767fb983c514f49bbb6878d8d586401822b8a36

SHA256
22daf5ab7df0c4e130ae4b0609a2619d8579e72ac5a91bccdfbeaff74422f7d3

SHA512
374073b1974361875586457f63440d6166852814666644eca4865d0007b6e471cf6abfbd6ed601d68d5471af9cdc5e47d8f743acc84e3630432e8a1476a92341

Download Submit
memory/840-65-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/840-64-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/840-66-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2024-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2024-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2024-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download