19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc

Analysis

max time kernel
42s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 06:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe
Size

1.2MB
MD5

a27cac37dcd72f1736acf681847662f5
SHA1

944c807db3868dd9efbd57e92b58207e1c53bd84
SHA256

19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc
SHA512

5055cc3899855823c6437c085c4698d8179e1e7c6e332f10fccfdcf5e605fe3b7faa6073b9e9218bfd80e3e77a41d469cba7c5a4c3b0af94e66ade6d3549056a
SSDEEP

24576:9MmnDC+rPnAveavusQoiFMJA9u/1olqXefho2Scl7TjFk:9jDCiofupzFMJHNAhLl7Tjy

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-56-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1720-56-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1312	1720	19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1312	1720	19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe	27
PID 1720 wrote to memory of 1312	1720	19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe	27
PID 1720 wrote to memory of 1312	1720	19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe	27
PID 1720 wrote to memory of 1312	1720	19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe	27

C:\Users\Admin\AppData\Local\Temp\19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe
"C:\Users\Admin\AppData\Local\Temp\19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe
  "C:\Users\Admin\AppData\Local\Temp\19efeb9c5a1089a41610cd3cb11ef28fed2e89ad39a5cb391d5ff534741b17cc.exe"
  2⤵
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1720-56-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download