55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
Size

1.0MB
MD5

874b7631e1db0c41e25a1d972509c2a8
SHA1

1fae4e0ae24f927b64fa1c482b2fa79d33fa7a3c
SHA256

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56
SHA512

93abcdaf6c6bc3b3b3cc10d6b6196d4c4a1a08ad07685339fd9dc5eee49aa381715ee8e0f9c0fece5194165f151e0eae5e0db249607fdac4eb6694234471393d
SSDEEP

24576:E4lavt0LkLL9IMixoEgeadpF6Mm3Jd3eWq9MmCS:Tkwkn9IMHeadpFbm3JNPaPCS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2264 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4508 PING.EXE

pid	process
2264	rundll32.exe

pid	process
4508	PING.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe

pid	process
4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe

pid	process
4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.execmd.exe

description	pid	process	target process
PID 4644 wrote to memory of 2264	4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 4644 wrote to memory of 2264	4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 4644 wrote to memory of 2264	4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 4644 wrote to memory of 4628	4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	cmd.exe
PID 4644 wrote to memory of 4628	4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	cmd.exe
PID 4644 wrote to memory of 4628	4644	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	cmd.exe
PID 4628 wrote to memory of 4508	4628	cmd.exe	PING.EXE
PID 4628 wrote to memory of 4508	4628	cmd.exe	PING.EXE
PID 4628 wrote to memory of 4508	4628	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
"C:\Users\Admin\AppData\Local\Temp\55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\windows\temp\msvcp90u.dll,rdl
2⤵
- Loads dropped DLL
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Tempscratch.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\PING.EXE
ping -n 0127.0.0.1
3⤵
- Runs ping.exe
PID:4508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempscratch.bat
Filesize
322B

MD5
202c240b0525490d56aae8f010017557

SHA1
6cd4d9ac27ef7f157154d6a46aad3f241e8791db

SHA256
3e8db04270135e058ce34e38451c54bca274718559c70f9ee6ccbb97521d5160

SHA512
7fc4d021e7a973e16215b5a7283adcfee7fea0bd338bdfa04554a020bc776bcc6efaa7301dad89df442c10a2446bf3c46a9e81da4fd8972a12dd6b2e55a32ad0

Download Submit
C:\Windows\Temp\msvcp90u.dll
Filesize
330KB

MD5
169197c84154d58f9eee82052e1b8ee8

SHA1
474a0171bbffefb9490e280e58747fa97895a17d

SHA256
f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19

SHA512
82f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d

Download Submit
\??\c:\windows\temp\msvcp90u.dll
Filesize
330KB

MD5
169197c84154d58f9eee82052e1b8ee8

SHA1
474a0171bbffefb9490e280e58747fa97895a17d

SHA256
f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19

SHA512
82f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d

Download Submit
memory/2264-132-0x0000000000000000-mapping.dmp

Download
memory/4508-136-0x0000000000000000-mapping.dmp

Download
memory/4628-133-0x0000000000000000-mapping.dmp

Download