2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe
Size

848KB
MD5

041e9bca775113355a36986f6321c8a2
SHA1

c4964da8911f87d187530316c7ba475107c536db
SHA256

2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947
SHA512

e695c28e75fd1a3c185e2c9328a4bdda40371079d3fd63388c366d3e1baa851c5dee8ba765ff8235f744a6c24ff688e905923b994fb392e995878d4ac57d2b9a
SSDEEP

12288:AhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4af7Fkv8KUlb7w5RohDTD:IRmJkcoQricOIQxiZY1iaf7Fp5Lh

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3696 set thread context of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80
PID 3696 wrote to memory of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80
PID 3696 wrote to memory of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80
PID 3696 wrote to memory of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80
PID 3696 wrote to memory of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80
PID 3696 wrote to memory of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80
PID 3696 wrote to memory of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80
PID 3696 wrote to memory of 2548	3696	2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe	80

C:\Users\Admin\AppData\Local\Temp\2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe
"C:\Users\Admin\AppData\Local\Temp\2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Local\Temp\2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe
  "C:\Users\Admin\AppData\Local\Temp\2f6c9dc0d50fb2cf414c7131181dfcfcf694dc01d01adf495f12f2cd8a96c947.exe"
  2⤵
  PID:2548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2548-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download