283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd

Analysis

max time kernel
54s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 19:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd.exe
Size

2.6MB
MD5

2bf587ddeebd72fa7fbef343424695f2
SHA1

ae1e882294f8415eb96929b074eb972534cc6eae
SHA256

283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd
SHA512

913f5451307340171c5612c198d78bfbfa49d635cc0094eb014ea1326f3f2f5e545801277c64f72f4fa5d8846bba68e7f9bb8a24d1aaca828ae9fa48dc2a0f26
SSDEEP

49152:eIg8VQzYlwgSb7CtGr31nCmgqnc42tGwF8D+ody7OkxfhSR7AQVNq0RcfU3C:YHzYl1vc3omrc42F8DRdBkXs7AQ5cfUS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	devices.exe

Loads dropped DLL 1 IoCs

pid	Process
1984	283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1928	devices.exe
1928	devices.exe
1928	devices.exe
1928	devices.exe
1928	devices.exe
1928	devices.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1928	devices.exe
1928	devices.exe
1928	devices.exe
1928	devices.exe
1928	devices.exe
1928	devices.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1928	1984	283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd.exe	27
PID 1984 wrote to memory of 1928	1984	283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd.exe	27
PID 1984 wrote to memory of 1928	1984	283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd.exe	27
PID 1984 wrote to memory of 1928	1984	283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd.exe	27

C:\Users\Admin\AppData\Local\Temp\283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd.exe
"C:\Users\Admin\AppData\Local\Temp\283e6e6add8fdcb7bbb3753fdc2bafecb2b85ec5424c8f0c2610e056b3468bdd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\devices.exe
  "C:\Users\Admin\AppData\Local\Temp\devices.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\devices.exe

Filesize
4.6MB

MD5
b0c6179ad5c0319b7c52da0afce2e332

SHA1
65e258d4bc1a058d26d4e48dca29f74e6102db6a

SHA256
ee07c158078dccfbeaea262e69826b893d87c12cd360d5ff7132873bf69f0e3b

SHA512
8b65d6b1c416a8fe324480d5f6087d98121b579119362193a93595682930d73fd1c06fe28b3b27cfd24010b1a931d26a5b6c5797f17764ca0496bf3f3a8a557d

Download Submit
\Users\Admin\AppData\Local\Temp\devices.exe

Filesize
4.6MB

MD5
b0c6179ad5c0319b7c52da0afce2e332

SHA1
65e258d4bc1a058d26d4e48dca29f74e6102db6a

SHA256
ee07c158078dccfbeaea262e69826b893d87c12cd360d5ff7132873bf69f0e3b

SHA512
8b65d6b1c416a8fe324480d5f6087d98121b579119362193a93595682930d73fd1c06fe28b3b27cfd24010b1a931d26a5b6c5797f17764ca0496bf3f3a8a557d

Download Submit
memory/1984-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download