Analysis
-
max time kernel
137s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 11:14
Static task
static1
Behavioral task
behavioral1
Sample
71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
Resource
win10v2004-20221111-en
General
-
Target
71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
-
Size
1.4MB
-
MD5
04e3a8a7e51e095e4f6e5f00f639a447
-
SHA1
1f18941c35ed9092cadd85e38c85f46c3cb8e6a1
-
SHA256
71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86
-
SHA512
c6d1057b6a1309e7e6ec09440176b4acd2d7ccaeef9e2858c636df6c3156896d3894cae820a1121b7b93c464a46417d857b7f579e21ab23e7f6165e906425190
-
SSDEEP
24576:nbNI1Hk32WDhOd0+cXoNxz0gZ402j3BsN9L2ORE1kiStxAqxI9w+H1:mlk32WDu0+3NygF2j3BvOeGiSk3NH1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
is-BBEB4.tmppid process 692 is-BBEB4.tmp -
Loads dropped DLL 4 IoCs
Processes:
71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exeis-BBEB4.tmppid process 1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe 692 is-BBEB4.tmp 692 is-BBEB4.tmp 692 is-BBEB4.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
is-BBEB4.tmppid process 692 is-BBEB4.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exedescription pid process target process PID 1108 wrote to memory of 692 1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe is-BBEB4.tmp PID 1108 wrote to memory of 692 1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe is-BBEB4.tmp PID 1108 wrote to memory of 692 1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe is-BBEB4.tmp PID 1108 wrote to memory of 692 1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe is-BBEB4.tmp PID 1108 wrote to memory of 692 1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe is-BBEB4.tmp PID 1108 wrote to memory of 692 1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe is-BBEB4.tmp PID 1108 wrote to memory of 692 1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe is-BBEB4.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe"C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmp"C:\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmp" /SL4 $80022 C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe 1263274 506882⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmpFilesize
572KB
MD50d0622f7d2fd629455a028d7e1cb1c07
SHA182bdfc15f188241c535d7a42f0f95c99d0913bf4
SHA256ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a
SHA512eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a
-
C:\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmpFilesize
572KB
MD50d0622f7d2fd629455a028d7e1cb1c07
SHA182bdfc15f188241c535d7a42f0f95c99d0913bf4
SHA256ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a
SHA512eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a
-
\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmpFilesize
572KB
MD50d0622f7d2fd629455a028d7e1cb1c07
SHA182bdfc15f188241c535d7a42f0f95c99d0913bf4
SHA256ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a
SHA512eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a
-
\Users\Admin\AppData\Local\Temp\is-RMQ2Q.tmp\_isdecmp.dllFilesize
32KB
MD5b4786eb1e1a93633ad1b4c112514c893
SHA1734750b771d0809c88508e4feb788d7701e6dada
SHA2562ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA5120882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6
-
\Users\Admin\AppData\Local\Temp\is-RMQ2Q.tmp\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-RMQ2Q.tmp\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
memory/692-59-0x0000000000000000-mapping.dmp
-
memory/1108-54-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB
-
memory/1108-55-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1108-57-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB