71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86

Analysis

max time kernel
189s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
Size

1.4MB
MD5

04e3a8a7e51e095e4f6e5f00f639a447
SHA1

1f18941c35ed9092cadd85e38c85f46c3cb8e6a1
SHA256

71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86
SHA512

c6d1057b6a1309e7e6ec09440176b4acd2d7ccaeef9e2858c636df6c3156896d3894cae820a1121b7b93c464a46417d857b7f579e21ab23e7f6165e906425190
SSDEEP

24576:nbNI1Hk32WDhOd0+cXoNxz0gZ402j3BsN9L2ORE1kiStxAqxI9w+H1:mlk32WDu0+3NygF2j3BvOeGiSk3NH1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

is-M0K6A.tmp

pid process

2416 is-M0K6A.tmp
Loads dropped DLL 2 IoCs

Processes:

is-M0K6A.tmp

pid process

2416 is-M0K6A.tmp
2416 is-M0K6A.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2416	is-M0K6A.tmp

pid	process
2416	is-M0K6A.tmp
2416	is-M0K6A.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe

description	pid	process	target process
PID 1864 wrote to memory of 2416	1864	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-M0K6A.tmp
PID 1864 wrote to memory of 2416	1864	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-M0K6A.tmp
PID 1864 wrote to memory of 2416	1864	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-M0K6A.tmp

C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
"C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\is-AUFOI.tmp\is-M0K6A.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AUFOI.tmp\is-M0K6A.tmp" /SL4 $A01BA C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe 1263274 50688
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-21R02.tmp\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-21R02.tmp\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AUFOI.tmp\is-M0K6A.tmp
Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AUFOI.tmp\is-M0K6A.tmp
Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
memory/1864-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1864-138-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2416-135-0x0000000000000000-mapping.dmp

Download
memory/2416-141-0x00000000032C1000-0x00000000032C5000-memory.dmp

Filesize
16KB

Download