44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567

Analysis

max time kernel
104s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:14

Target

44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567.exe
Size

14.1MB
MD5

419235366d5c965c79117a403bb6c5da
SHA1

83dc365418c4d26e431870f70d3947c3a747c9cb
SHA256

44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567
SHA512

8282affe35350624ad60e95dd445238d681fcfdded9255c81e2a89009333fb43784a09acc5f725f41be0fb1e488fd7ae3144c0b95f855e3697fe5d441a877d6f
SSDEEP

393216:tjaiKK9iT3xU1eWWm/U7dUr9MExK09uAGcZuVgBhg:ty8OoWhdUrjxKiuAVwVsg

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

is-3MMDL.tmp

pid process

4876 is-3MMDL.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4876	is-3MMDL.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567.exe

description	pid	process	target process
PID 3436 wrote to memory of 4876	3436	44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567.exe	is-3MMDL.tmp
PID 3436 wrote to memory of 4876	3436	44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567.exe	is-3MMDL.tmp
PID 3436 wrote to memory of 4876	3436	44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567.exe	is-3MMDL.tmp

C:\Users\Admin\AppData\Local\Temp\44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567.exe
"C:\Users\Admin\AppData\Local\Temp\44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\is-SH1BL.tmp\is-3MMDL.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SH1BL.tmp\is-3MMDL.tmp" /SL4 $90046 "C:\Users\Admin\AppData\Local\Temp\44667004c4984c42bfac4176fed27c34ca00cf360e03612c4742a4d835543567.exe" 14522061 49664
2⤵
- Executes dropped EXE
PID:4876

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\is-SH1BL.tmp\is-3MMDL.tmp

Filesize
639KB

MD5
c0720d08873ecc235edc7ac9c515d793

SHA1
28bf8b33e5daac25438ca75b3384a44a024eff4b

SHA256
62eba329580b2d813c117ebddb74422ed9b09b1b23edc669a0ea3bc41518b671

SHA512
2d48ef2c2aafa7872ddc6d577fe7b45f901604e53abe12968cb29f51e9c18b8371e9e328481611081d47d64e1a6b00a557ca7e23b8aec711398455832e3ebe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SH1BL.tmp\is-3MMDL.tmp

Filesize
639KB

MD5
c0720d08873ecc235edc7ac9c515d793

SHA1
28bf8b33e5daac25438ca75b3384a44a024eff4b

SHA256
62eba329580b2d813c117ebddb74422ed9b09b1b23edc669a0ea3bc41518b671

SHA512
2d48ef2c2aafa7872ddc6d577fe7b45f901604e53abe12968cb29f51e9c18b8371e9e328481611081d47d64e1a6b00a557ca7e23b8aec711398455832e3ebe06

Download Submit
memory/3436-132-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3436-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4876-133-0x0000000000000000-mapping.dmp

Download