cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499

Analysis

max time kernel
92s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 10:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499.exe
Size

57KB
MD5

301824660c276df3f65b1cca3b722e95
SHA1

4d01d96cb8e7f8d9ab3cf9087672bcf70acdbb5d
SHA256

cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499
SHA512

33214c6704348cb5a648dabb5281793e4fb3c592a41bca233ad4b0d8b1632b0864a99b7f2da8b5550fdfdff6d2ab1a37f9cab5c08710618f28ea4d0b66c56ef4
SSDEEP

1536:WqBwbLWJLJFKqAZzrZA4kJJKlAfEXhw3knBxDn1TgYBemTn:WqBFJLzgOJJew0wugJmj

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
5004	cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499.exe
5004	cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4316	5004	cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499.exe	85
PID 5004 wrote to memory of 4316	5004	cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499.exe	85
PID 5004 wrote to memory of 4316	5004	cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499.exe	85

C:\Users\Admin\AppData\Local\Temp\cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499.exe
"C:\Users\Admin\AppData\Local\Temp\cb4a1578574eab92427b24def164ed0a7205e53e0a041805adff70f3f4bdd499.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\ife.txt "C:\PROGRA~1\INTERN~1\ieframe.dll" /a
  2⤵
  - Drops file in Program Files directory
  PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ife.txt

Filesize
19.5MB

MD5
39b6ea8bed3a7eae7c3a3f71b8195775

SHA1
4a6765c643f0a17017a1b73825bdbd6b914698b4

SHA256
04895076e21ac63585fdd1b340bab09fae268295ebce12fd6fe7a83dc7bb67f3

SHA512
c864a207cd9c568c57571a1f082aadcb2b2896defd553c7e759f4491bc09f44b90d759b495c623fa76e215c7e3ab91f1160a98088f794bc682f30a9a8d76225f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA619.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA619.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit