41f23fba25f98997af310f295eef2e989c9f9c9a3e0d74c2edfb34599ee18d6a

Analysis

max time kernel
4s
max time network
68s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.5MB
MD5

20b386b61a964aae2979248979da5e4d
SHA1

9c9fb29899649d6eccdc0c0ea9fe196f39e2bcb2
SHA256

41f23fba25f98997af310f295eef2e989c9f9c9a3e0d74c2edfb34599ee18d6a
SHA512

5134cc3817978f131f954dd3dc115d067822de62a0565539c439dcee7b4efd1576d85e6f2814d79dd031bcc3a7b40cc146250338b88d960c96f4d34687c49d58
SSDEEP

49152:Z2u7pB46IwS4TipQB9iUR3+r8bCq/jE++Xfs3fh0nVTOv2IUSz5VE3Hr3PA5hq:Mu7pLIQTi6h68bCq/6vmh0nVTNMLE8Dq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
944	is-IME4G.tmp

Loads dropped DLL 4 IoCs

pid	Process
2004	file.exe
944	is-IME4G.tmp
944	is-IME4G.tmp
944	is-IME4G.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 944	2004	file.exe	28
PID 2004 wrote to memory of 944	2004	file.exe	28
PID 2004 wrote to memory of 944	2004	file.exe	28
PID 2004 wrote to memory of 944	2004	file.exe	28
PID 2004 wrote to memory of 944	2004	file.exe	28
PID 2004 wrote to memory of 944	2004	file.exe	28
PID 2004 wrote to memory of 944	2004	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\is-KQT1G.tmp\is-IME4G.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KQT1G.tmp\is-IME4G.tmp" /SL4 $70022 "C:\Users\Admin\AppData\Local\Temp\file.exe" 2331157 52736
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-KQT1G.tmp\is-IME4G.tmp

Filesize
20KB

MD5
195311058233eb13df10face95b703c1

SHA1
cfe67eb6b34260b21975f823e22d5915ce60e1ac

SHA256
2db82e7a9a4bb63a02780a656860f2c8a4a3cb84decbe9afe5e78db86f3283ba

SHA512
ffb8fe8af0b034e147d79434ebc7173699c37193d0e85b63d2a64e4a2ed812a8fcf7512a9cd6398334c711063acd1b2e5353a9bc56037909de1ae12bb7ee2a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQT1G.tmp\is-IME4G.tmp

Filesize
14KB

MD5
cc43954e05d9887b68089a0908f7434d

SHA1
c3e5a18a3b5440be1021ba4ccab9728892be371c

SHA256
a56aceba7b9e5b91f13da2b03747ecd0b5831b15b21c36077d6bb63591a04e78

SHA512
91074b5a4720b0e53c356f379dea3c6d5cdb6966150b57bb490035dba5f7c2618ac94ed4de973620abbc28ed238f390d1db0e9bbe6a1dd1e387b7dc937333f5b

Download Submit
\Users\Admin\AppData\Local\Temp\is-KQT1G.tmp\is-IME4G.tmp

Filesize
28KB

MD5
306a062e7b3a9f6e322e55a9746c103d

SHA1
34ef0930cb67d46c573c57d1200488046a7c8114

SHA256
b56b58c2c181c632bf58a2931fec8280fa015e461bfdca079c4ccc233c19e1be

SHA512
1a8ddd31fec4f27bc303e5f679fe9b858c24da018ee4e1917588ec1afa40a1eccad43936ae298f8cd69ae0aa277419cab2de4678725aa537af6c196477a59b05

Download Submit
\Users\Admin\AppData\Local\Temp\is-UKRC6.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-UKRC6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UKRC6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2004-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/2004-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2004-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download