409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d

Analysis

max time kernel
141s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 17:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe
Size

22KB
MD5

836d4ca8bc133405e96c3ede9c3dd0e0
SHA1

69aada5220f88d359a82585fee678912b43d9dd2
SHA256

409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d
SHA512

98f7aac3b7456201f3ce9c84c80fdf99b7473dc9fda6f734f2a9a8b60c9b90ad55a7c9bff273e9baa37b9b196b4c4c22bbc097a6e240ed274cfbb19c3aae6b13
SSDEEP

384:IMAP4wZ6khYJRKiC0bz94calJJjjjCRAAAAA2+Y5Vnv44SY:IM0ZiLCWwJjjHsQW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
860	defupdater.exe

Loads dropped DLL 1 IoCs

pid	Process
1248	409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 860	1248	409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe	26
PID 1248 wrote to memory of 860	1248	409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe	26
PID 1248 wrote to memory of 860	1248	409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe	26
PID 1248 wrote to memory of 860	1248	409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe	26
PID 1248 wrote to memory of 860	1248	409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe	26
PID 1248 wrote to memory of 860	1248	409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe	26
PID 1248 wrote to memory of 860	1248	409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe	26

C:\Users\Admin\AppData\Local\Temp\409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe
"C:\Users\Admin\AppData\Local\Temp\409a48e7dc08568a41a9c097ed88f2a2d16ba48de66f69e0c4fc227a48126a0d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\defupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\defupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\defupdater.exe

Filesize
22KB

MD5
108818aa059411e7e1fffbd7703ffd0c

SHA1
30730fb46bfca2e581326fa089b66e52cbeda7e1

SHA256
f93d599df3eb2be3e4e0067c4da6e45736d174fa273662400940616116f66206

SHA512
800521a59488c2d40889a39fb2b9d804c1e2d4a92147ddd4202c92c57bd9d286541d620e86ee38eb27532be157a7c716fceb42f038fad70f55b0df568a06b51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\defupdater.exe

Filesize
22KB

MD5
108818aa059411e7e1fffbd7703ffd0c

SHA1
30730fb46bfca2e581326fa089b66e52cbeda7e1

SHA256
f93d599df3eb2be3e4e0067c4da6e45736d174fa273662400940616116f66206

SHA512
800521a59488c2d40889a39fb2b9d804c1e2d4a92147ddd4202c92c57bd9d286541d620e86ee38eb27532be157a7c716fceb42f038fad70f55b0df568a06b51b

Download Submit
\Users\Admin\AppData\Local\Temp\defupdater.exe

Filesize
22KB

MD5
108818aa059411e7e1fffbd7703ffd0c

SHA1
30730fb46bfca2e581326fa089b66e52cbeda7e1

SHA256
f93d599df3eb2be3e4e0067c4da6e45736d174fa273662400940616116f66206

SHA512
800521a59488c2d40889a39fb2b9d804c1e2d4a92147ddd4202c92c57bd9d286541d620e86ee38eb27532be157a7c716fceb42f038fad70f55b0df568a06b51b

Download Submit
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download