5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e

Analysis

max time kernel
64s
max time network
67s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e.exe
Size

21KB
MD5

24f9a38471e49cfa484b091b44aacd5a
SHA1

cc055dfba4900e9582c24ef5a6b3abd9d1203b52
SHA256

5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e
SHA512

bb1ec848b6579a3ce7e3570cd2a01dfdfca041216368403236034d36cc6cca88521a19687e9d9e48b88bd18d0de65240b2f4014e97c73f580a826a9503068f36
SSDEEP

192:ZXokc/wYXqa6qx94nkFLuyqcWeew4DoYeqgYzLYirYH1oyn9lsN8sv3hw/R/:WhLXqa6qH4mVqheen8YWKG1dsN8NR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1788	ffxug.exe

Deletes itself 1 IoCs

pid	Process
1788	ffxug.exe

Loads dropped DLL 1 IoCs

pid	Process
532	5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1788	532	5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e.exe	27
PID 532 wrote to memory of 1788	532	5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e.exe	27
PID 532 wrote to memory of 1788	532	5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e.exe	27
PID 532 wrote to memory of 1788	532	5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e.exe	27

C:\Users\Admin\AppData\Local\Temp\5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e.exe
"C:\Users\Admin\AppData\Local\Temp\5f963c2b54eb2a8e7c2f1fd73b394cb7a3cdc424161c5966c192424c93977b6e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\ffxug.exe
  "C:\Users\Admin\AppData\Local\Temp\ffxug.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffxug.exe

Filesize
21KB

MD5
4dfe25fc4b4310a521bc674747215258

SHA1
64613e5576dac5fc9c71834e32cd8a764dd9a4f8

SHA256
a264f2c21a5d1fb7bb5bf9f4e55f720c073c121d3af2c87bb37f6f79f09bad5e

SHA512
1e078d14fd6a1ea9a20d749ca671070c740957572006b6792de91155e0d78a630231459d9a69e9d241da0f17ddc90174e52b5b30bbdfa8e83a1c6e4199e34ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffxug.exe

Filesize
21KB

MD5
4dfe25fc4b4310a521bc674747215258

SHA1
64613e5576dac5fc9c71834e32cd8a764dd9a4f8

SHA256
a264f2c21a5d1fb7bb5bf9f4e55f720c073c121d3af2c87bb37f6f79f09bad5e

SHA512
1e078d14fd6a1ea9a20d749ca671070c740957572006b6792de91155e0d78a630231459d9a69e9d241da0f17ddc90174e52b5b30bbdfa8e83a1c6e4199e34ec2

Download Submit
\Users\Admin\AppData\Local\Temp\ffxug.exe

Filesize
21KB

MD5
4dfe25fc4b4310a521bc674747215258

SHA1
64613e5576dac5fc9c71834e32cd8a764dd9a4f8

SHA256
a264f2c21a5d1fb7bb5bf9f4e55f720c073c121d3af2c87bb37f6f79f09bad5e

SHA512
1e078d14fd6a1ea9a20d749ca671070c740957572006b6792de91155e0d78a630231459d9a69e9d241da0f17ddc90174e52b5b30bbdfa8e83a1c6e4199e34ec2

Download Submit
memory/532-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/532-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1788-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download