e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2

Analysis

max time kernel
112s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
Size

86KB
MD5

3b23c84d0d6655273e72f62bd0f44a20
SHA1

de4a9077efe13bf6484a64a53bccd9efc6f84468
SHA256

e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2
SHA512

635fd6288fdca680001bf3953fabcd5acbff027c1c5dd1fe70519ca3eac2542ad4edc843066bfeff4b5bba727f293350a785bfc3bc399c7ccf9a4ca5955be7f6
SSDEEP

1536:F/E/8FZkgT1tnSe+L6ZtTqI1Rfkq4b/Z0vdWb1:FckDkgTrSBCt71RfkqE7b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\G:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\M:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\P:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\Q:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\V:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\H:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\I:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\O:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\T:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\N:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\S:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\U:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\Y:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\E:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\F:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\J:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\L:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\W:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\Z:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\A:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\B:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\K:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
File opened (read-only)	\??\R:	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
Token: SeShutdownPrivilege	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 368	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	5
PID 952 wrote to memory of 368	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	5
PID 952 wrote to memory of 368	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	5
PID 952 wrote to memory of 368	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	5
PID 952 wrote to memory of 368	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	5
PID 952 wrote to memory of 368	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	5
PID 952 wrote to memory of 368	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	5
PID 952 wrote to memory of 380	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	4
PID 952 wrote to memory of 380	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	4
PID 952 wrote to memory of 380	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	4
PID 952 wrote to memory of 380	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	4
PID 952 wrote to memory of 380	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	4
PID 952 wrote to memory of 380	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	4
PID 952 wrote to memory of 380	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	4
PID 952 wrote to memory of 416	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	3
PID 952 wrote to memory of 416	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	3
PID 952 wrote to memory of 416	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	3
PID 952 wrote to memory of 416	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	3
PID 952 wrote to memory of 416	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	3
PID 952 wrote to memory of 416	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	3
PID 952 wrote to memory of 416	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	3
PID 952 wrote to memory of 460	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	2
PID 952 wrote to memory of 460	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	2
PID 952 wrote to memory of 460	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	2
PID 952 wrote to memory of 460	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	2
PID 952 wrote to memory of 460	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	2
PID 952 wrote to memory of 460	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	2
PID 952 wrote to memory of 460	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	2
PID 952 wrote to memory of 476	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	1
PID 952 wrote to memory of 476	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	1
PID 952 wrote to memory of 476	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	1
PID 952 wrote to memory of 476	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	1
PID 952 wrote to memory of 476	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	1
PID 952 wrote to memory of 476	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	1
PID 952 wrote to memory of 476	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	1
PID 952 wrote to memory of 484	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	8
PID 952 wrote to memory of 484	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	8
PID 952 wrote to memory of 484	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	8
PID 952 wrote to memory of 484	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	8
PID 952 wrote to memory of 484	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	8
PID 952 wrote to memory of 484	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	8
PID 952 wrote to memory of 484	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	8
PID 952 wrote to memory of 580	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	27
PID 952 wrote to memory of 580	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	27
PID 952 wrote to memory of 580	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	27
PID 952 wrote to memory of 580	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	27
PID 952 wrote to memory of 580	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	27
PID 952 wrote to memory of 580	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	27
PID 952 wrote to memory of 580	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	27
PID 952 wrote to memory of 660	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	26
PID 952 wrote to memory of 660	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	26
PID 952 wrote to memory of 660	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	26
PID 952 wrote to memory of 660	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	26
PID 952 wrote to memory of 660	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	26
PID 952 wrote to memory of 660	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	26
PID 952 wrote to memory of 660	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	26
PID 952 wrote to memory of 736	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	25
PID 952 wrote to memory of 736	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	25
PID 952 wrote to memory of 736	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	25
PID 952 wrote to memory of 736	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	25
PID 952 wrote to memory of 736	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	25
PID 952 wrote to memory of 736	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	25
PID 952 wrote to memory of 736	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	25
PID 952 wrote to memory of 788	952	e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe	24

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1096
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:832
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1132
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1040
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1020
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:820
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:788
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:736
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:660
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1992

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe
"C:\Users\Admin\AppData\Local\Temp\e665a31f7658cac8e16dfce45caa19c22d3b0c3863de47fe51519810d0a8a8a2.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/952-55-0x0000000001000000-0x0000000001018000-memory.dmp

Filesize
96KB

Download
memory/952-56-0x00000000716C1000-0x00000000716C3000-memory.dmp

Filesize
8KB

Download
memory/952-57-0x0000000001000000-0x0000000001018000-memory.dmp

Filesize
96KB

Download
memory/952-58-0x0000000001000000-0x0000000001018000-memory.dmp

Filesize
96KB

Download