b8d81b0161bcdc82aadcbb497984a18d41b5d3de9a8d67c45a4a5ee23ce38661

Analysis

max time kernel
26s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8d81b0161bcdc82aadcbb497984a18d41b5d3de9a8d67c45a4a5ee23ce38661.exe
Size

122KB
MD5

31a3c368222cdd516c950b5352d9a4f3
SHA1

240dcc95dfb795f027f6ccd6375c05d522c7570f
SHA256

b8d81b0161bcdc82aadcbb497984a18d41b5d3de9a8d67c45a4a5ee23ce38661
SHA512

826a1419277fc5c02aff4d6cbf9e36dc755a1fa55d119e2f2826516dfcee0cec28109b3293868f3ae72785998453d21271a3da8e0b29b730134e512500b16c05
SSDEEP

1536:nFyzF9MFVCujlsQoeQZZ86ukpj0nGGF9v+4DR5n:FyzQVCujl71QZZ4kp4F9XtZ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1180	b8d81b0161bcdc82aadcbb497984a18d41b5d3de9a8d67c45a4a5ee23ce38661.exe
1180	b8d81b0161bcdc82aadcbb497984a18d41b5d3de9a8d67c45a4a5ee23ce38661.exe

C:\Users\Admin\AppData\Local\Temp\b8d81b0161bcdc82aadcbb497984a18d41b5d3de9a8d67c45a4a5ee23ce38661.exe
"C:\Users\Admin\AppData\Local\Temp\b8d81b0161bcdc82aadcbb497984a18d41b5d3de9a8d67c45a4a5ee23ce38661.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1180
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
1⤵
PID:4836
- \??\c:\windows\system\svchost.exe
  c:\windows\system\svchost.exe
  2⤵
  PID:1712
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe PR
    3⤵
    PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
35KB

MD5
f38a719206c8b3fdd485bb4ed56c61c4

SHA1
83a0f25e9b0f2c096c8d776ec941eb1fde7399c4

SHA256
be58f8ce28baaf9fc70e9dca3f4d704c698f2f29eb8dc7f5f6c9e59580b94c01

SHA512
b4eb56ee3f4c0a922660d03fde7300584746bf89d2da356358817f321d5a1e6d2bec341c71f732a94cf81366d39abb222d3d8d2cbcaef64df8559255a4ab08d9

Download Submit
C:\Windows\System\explorer.exe

Filesize
36KB

MD5
e25c2f648df9004bf3c8156877718526

SHA1
064625683c10b71e9ff42ce84af2b793a287790f

SHA256
c7c41432015341b6e8219d49d282e01661f74189bcc2fcb37133bd11bc4a79f5

SHA512
e7c3e47f5b269ad6087eb93e362049e65fec95bb0a71ebfec514026b782fbc65aa085002cd93b88ff6060988a26534af37282c43b078add0c91fe96e32bb3c7e

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
26KB

MD5
f93f5ee3c8a5a6269e0af5620ac70ad5

SHA1
6b8521c271a30f60c6101c9517df08c15d3583bd

SHA256
63bdd4087d90593f9e35426eca20960ac3d89dcc0d84a692a2f54fdb4611209d

SHA512
fbb422c35bd949d8a54ba7f54aa58e8bb3928e08f1a2b3dd79f8f690d5c76878a11847b2fa0b1079d7d8f951c84b5be8e1a0ceddd4317b6b99d185af38864714

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
32KB

MD5
2fea3327eba41ef6f43e7b86708f9d21

SHA1
c3852907b3bbef3898ae8eb176920bdc156bcbc6

SHA256
dba5e94b4ccec60a687c63d848db59ba0e620b47a02b1d899d65a3d02150d548

SHA512
02d080aa88ead8ca872bbcdfff324f5630a0179c5da364bfc2b8d43ea540def9b9cc3f0ccce01e3115ef05acd97ff7b59071c3dd4eb1aabaae41778739882341

Download Submit
C:\Windows\System\svchost.exe

Filesize
15KB

MD5
b42cad56d7a7e609387dc2398020a64f

SHA1
46a81fa690c7249a3dbc7be6c0791a6dbe1ad441

SHA256
50da4c283ef86321a36ba7b25db37c688318c6f8591a5c229bfedc34c4c17518

SHA512
027494bdd1f663a0005f92e40f52d12f89dcab970c7050fda555cc780e89b68c4b6983af9381bb6db7b0868c44db0bf72ca42cd339a2099fbc137586a1d8f6be

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
23KB

MD5
b9625966ffb84db22a987a04da21432a

SHA1
1ce24515c4ff0fcdc2a1ef8460330f91db6352d7

SHA256
3aa6624947b638ce5146c31efa5304cf18cdc52bd3254483397d93af687cb2d5

SHA512
8eacac3d5188af141e7f09c976c1f1b82d01eb9f796a47ae9bca8f97e7b56b0a5ba0fa22cad33899f5665e51ad45aaeda80a49a750890504514892cf04489fbc

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
18KB

MD5
261d70c48c5ed99fd8723e6a7facf8c8

SHA1
ad14622625b3c38e8946fcc8ef9c02065290f594

SHA256
a687a6a098cbc7c3ae943ced834ad61a4f0b333916d8f6d44943094d58c6aeaa

SHA512
9afb290c950aa9f4a95bc471e66a9aff2ad9f096d03df34ae3bf8eaf6be57f1faae9f7762754395f041a6e5b9672b6b58bda830c7d73936eb182c3ebf247441a

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
21KB

MD5
02a4badd160af4ab5ec74222c02af0e0

SHA1
37d2cbfb6ee1c7d7414f557af77a535297c05e56

SHA256
5e04312ee6b745d3273432b6f7cfb8dffa8de52bd9b6cdf44267ef80dc9c733b

SHA512
014a8df2659776878fc2d7b2b0437848794523729403a83a6aef965caa81fc2f2bd32f7aded4a1a9d9ccf061f011dc213cb1fdd48b327dfd47e31a64912661a6

Download Submit