99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5

Analysis

max time kernel
46s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2022 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5.exe
Size

556KB
MD5

0aac6b89c8aa50cc1d708d235503cfe0
SHA1

272f01480769a2336af5d5599a1a556df07812d9
SHA256

99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5
SHA512

5f9f69cca55a4797823409ab61b103804bb207ad241670db9c43700a12f3a929a0f4ca53d6c8a577bef250c0adaf56a5499ecb73c10cbee955368c096d239794
SSDEEP

12288:YOBKDSrjas6GaAKobCByFpDKh1QxFIWq4cA:pqhs6GNKobhFpmh14Bq4cA

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Config.ini	99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5.exe
File created	C:\Windows\SysWOW64\tempvbs.vbs	99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 4928	3284	99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5.exe	84
PID 3284 wrote to memory of 4928	3284	99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5.exe	84
PID 3284 wrote to memory of 4928	3284	99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5.exe	84

C:\Users\Admin\AppData\Local\Temp\99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5.exe
"C:\Users\Admin\AppData\Local\Temp\99d1919eaaada9582faa326d1e5fca45d5c067bac78ff13b61bc63d4c872e4c5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\SysWOW64\wscript.exe
  C:\Windows\System32\wscript.exe C:\Windows\System32\tempvbs.vbs
  2⤵
  PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tempvbs.vbs

Filesize
4KB

MD5
08e8742e6c7b2d7106d0f5593b387ae7

SHA1
e258bee3f15d1f5d8f9f97ae200eed34091765d6

SHA256
c81d4d929caa48aa2aed5268b2ce17bcf825bc5398e25b12f17ac2756ae689dc

SHA512
b76c3351b643de22941c52c5427962a07d6befe4e4d57454ac3e2e86aa8d40a1f0bc32f78c9412f8f715f3857152985e45078129137aa6779ae4956c483de35c

Download Submit