cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504

Analysis

max time kernel
121s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe
Size

19KB
MD5

0b353dcdaf9963971c42084d77036060
SHA1

4dbdf6b657b22b11d3161d1649b4aa39fe09a839
SHA256

cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504
SHA512

13d385a3dab7ef4971bc27764f155f24ecb37c6f07ca63a9ee79a9baa84a550aac8260e553ab793fd7254fc24dae10f9f53cbe37aa8483d1fb5ef2626da12f2b
SSDEEP

192:itxkDDYd9X9lr51ZaYHULSdSfiCetbpE1eEE1RsocnavkFqKTYcB57f:gxNlDZnUShCkFIZocXLnB5z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1216	scriz.exe

Loads dropped DLL 2 IoCs

pid	Process
1808	cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe
1808	cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1216	1808	cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe	17
PID 1808 wrote to memory of 1216	1808	cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe	17
PID 1808 wrote to memory of 1216	1808	cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe	17
PID 1808 wrote to memory of 1216	1808	cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe	17

C:\Users\Admin\AppData\Local\Temp\cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe
"C:\Users\Admin\AppData\Local\Temp\cf8ee19600acb432bae6f59c4f9e0111e7e6651ca79c8e209a7f2c2e8a314504.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\scriz.exe
  "C:\Users\Admin\AppData\Local\Temp\scriz.exe"
  2⤵
  - Executes dropped EXE
  PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scriz.exe

Filesize
19KB

MD5
fe61c3a0d49042bdc688a68feb59a4bd

SHA1
321871efe107500097b5e13f640410b26a198e3d

SHA256
a680ccc76cf8369a69397aa34e250c367d042bdb86d4306af1451fbda83c8a93

SHA512
ec53bc90a36d3ed28f1fb8250e23844d7084450301104d32bcaae3ac77afe23dc33d54f33b78333eb8163bbff2e18ab7cbf244d347ca88f1128ae524a1df980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scriz.exe

Filesize
19KB

MD5
fe61c3a0d49042bdc688a68feb59a4bd

SHA1
321871efe107500097b5e13f640410b26a198e3d

SHA256
a680ccc76cf8369a69397aa34e250c367d042bdb86d4306af1451fbda83c8a93

SHA512
ec53bc90a36d3ed28f1fb8250e23844d7084450301104d32bcaae3ac77afe23dc33d54f33b78333eb8163bbff2e18ab7cbf244d347ca88f1128ae524a1df980f

Download Submit
\Users\Admin\AppData\Local\Temp\scriz.exe

Filesize
19KB

MD5
fe61c3a0d49042bdc688a68feb59a4bd

SHA1
321871efe107500097b5e13f640410b26a198e3d

SHA256
a680ccc76cf8369a69397aa34e250c367d042bdb86d4306af1451fbda83c8a93

SHA512
ec53bc90a36d3ed28f1fb8250e23844d7084450301104d32bcaae3ac77afe23dc33d54f33b78333eb8163bbff2e18ab7cbf244d347ca88f1128ae524a1df980f

Download Submit
\Users\Admin\AppData\Local\Temp\scriz.exe

Filesize
19KB

MD5
fe61c3a0d49042bdc688a68feb59a4bd

SHA1
321871efe107500097b5e13f640410b26a198e3d

SHA256
a680ccc76cf8369a69397aa34e250c367d042bdb86d4306af1451fbda83c8a93

SHA512
ec53bc90a36d3ed28f1fb8250e23844d7084450301104d32bcaae3ac77afe23dc33d54f33b78333eb8163bbff2e18ab7cbf244d347ca88f1128ae524a1df980f

Download Submit
memory/1216-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1808-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1808-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download