Analysis
-
max time kernel
93s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
23-11-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f.exe
Resource
win10-20220812-en
General
-
Target
87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f.exe
-
Size
1.6MB
-
MD5
84419b2756957698c872721d1ac263b7
-
SHA1
b5d6e463ceafde3c71e13889b650141b274ae5c0
-
SHA256
87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f
-
SHA512
59dc0471c397dafe8721d6a27baebdbda54b5d4b74ff2e88d3d346c9991139c39255ab62e519b879dea4d8e603342b12973340bd275d486381ca9cf5c2d53a1f
-
SSDEEP
24576:b062cSEk8zNlLsRTgLszgM5EXiMfxtaqbuohAGbwMcgxpVO7u7gNej5o0LS4zEWi:A6PaECg0ZMfnAcOipQYKe1TSW0zmw
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exepid process 3364 rundll32.exe 3364 rundll32.exe 4528 rundll32.exe 4528 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f.execontrol.exerundll32.exeRunDll32.exedescription pid process target process PID 2124 wrote to memory of 4868 2124 87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f.exe control.exe PID 2124 wrote to memory of 4868 2124 87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f.exe control.exe PID 2124 wrote to memory of 4868 2124 87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f.exe control.exe PID 4868 wrote to memory of 3364 4868 control.exe rundll32.exe PID 4868 wrote to memory of 3364 4868 control.exe rundll32.exe PID 4868 wrote to memory of 3364 4868 control.exe rundll32.exe PID 3364 wrote to memory of 2780 3364 rundll32.exe RunDll32.exe PID 3364 wrote to memory of 2780 3364 rundll32.exe RunDll32.exe PID 2780 wrote to memory of 4528 2780 RunDll32.exe rundll32.exe PID 2780 wrote to memory of 4528 2780 RunDll32.exe rundll32.exe PID 2780 wrote to memory of 4528 2780 RunDll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f.exe"C:\Users\Admin\AppData\Local\Temp\87a6c5ac34356043974d8823f7ce33625b0d7572871f78e2be161f3c7ac18e5f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\XM46.8S2⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\XM46.8S3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\XM46.8S4⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\XM46.8S5⤵
- Loads dropped DLL
PID:4528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD57f8754fc25a0ec481a1eaff4357b1742
SHA1fdf1b6deb01bc9c9c1b800aa57682d09a8cad4d2
SHA2567e00b9e62357606515b32642669df6ecf0c33215f576cc21907b314ee95836d7
SHA512413de4a8bbc6edeafd30993a4fc8f0a85bbc94eb76fb48a1d6fedf016eff54c7a1c1b02632516d616a346c2690810e1ca6b8d33b26fc7f1f73513f53c3f2dd6b
-
Filesize
1.7MB
MD57f8754fc25a0ec481a1eaff4357b1742
SHA1fdf1b6deb01bc9c9c1b800aa57682d09a8cad4d2
SHA2567e00b9e62357606515b32642669df6ecf0c33215f576cc21907b314ee95836d7
SHA512413de4a8bbc6edeafd30993a4fc8f0a85bbc94eb76fb48a1d6fedf016eff54c7a1c1b02632516d616a346c2690810e1ca6b8d33b26fc7f1f73513f53c3f2dd6b
-
Filesize
1.7MB
MD57f8754fc25a0ec481a1eaff4357b1742
SHA1fdf1b6deb01bc9c9c1b800aa57682d09a8cad4d2
SHA2567e00b9e62357606515b32642669df6ecf0c33215f576cc21907b314ee95836d7
SHA512413de4a8bbc6edeafd30993a4fc8f0a85bbc94eb76fb48a1d6fedf016eff54c7a1c1b02632516d616a346c2690810e1ca6b8d33b26fc7f1f73513f53c3f2dd6b
-
Filesize
1.7MB
MD57f8754fc25a0ec481a1eaff4357b1742
SHA1fdf1b6deb01bc9c9c1b800aa57682d09a8cad4d2
SHA2567e00b9e62357606515b32642669df6ecf0c33215f576cc21907b314ee95836d7
SHA512413de4a8bbc6edeafd30993a4fc8f0a85bbc94eb76fb48a1d6fedf016eff54c7a1c1b02632516d616a346c2690810e1ca6b8d33b26fc7f1f73513f53c3f2dd6b
-
Filesize
1.7MB
MD57f8754fc25a0ec481a1eaff4357b1742
SHA1fdf1b6deb01bc9c9c1b800aa57682d09a8cad4d2
SHA2567e00b9e62357606515b32642669df6ecf0c33215f576cc21907b314ee95836d7
SHA512413de4a8bbc6edeafd30993a4fc8f0a85bbc94eb76fb48a1d6fedf016eff54c7a1c1b02632516d616a346c2690810e1ca6b8d33b26fc7f1f73513f53c3f2dd6b