f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db

Analysis

max time kernel
4s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 12:40

Target

f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db.exe
Size

159KB
MD5

13ee0fea96642626c637c6bcc4ad3a6c
SHA1

aa03037c474933a25d8c816bc46aea62e06a95de
SHA256

f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db
SHA512

1a329c37e9bea257be4dee42186099df14025fc2adfa7b786be4d93b97590504568f607b882003d75bb8133b82092684b06c768d42ce674a151cbf52b741bdc2
SSDEEP

3072:gBUIYrsgIDmJxsuz+heAcYf6WUgOxsJEpjPD3d7IcGQNEHQdEU+G7BFH0eyuyQ:gGsbuzgLf3wlP5NqQya/HpyuL

Score

8^/10

Drops file in Drivers directory 2 IoCs

Processes:

f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\acpidisk.sys	f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db.exe
File opened for modification	C:\Windows\SysWOW64\drivers\acpidisk.sys	f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db.exe

Loads dropped DLL 3 IoCs

Processes:

f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db.exe

pid	process
1416	f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db.exe
1416	f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db.exe
1416	f76017def895f11e328b28342cb06e08930ec9d2965040bebd88d1bc070196db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\dosss11.dll

Filesize
72KB

MD5
3ccb55df7911d2ebe0a14f0202ddabdd

SHA1
d70a98da8e7b756b6644fb8b23001755ef814c02

SHA256
f375ebf8bfb3eedeb81152b6fd8f670a7f1a11467cbbaad3d1fbd5707125039f

SHA512
4520ed401b890bc0cd5b065d252d2acb0565e7b3a8376d18ee97cf807b8141c52b253bc9dc2b29d22b8969cf5a116b8221d7548f7ced774e32c3ed5b60ce3ff4

Download Submit
\Users\Admin\AppData\Local\Temp\nseC056.tmp\System.dll

Filesize
10KB

MD5
bf01b2d04e8fad306ba2f364cfc4edfa

SHA1
58f42b45ca9fc1818c4498ecd8bac088d20f2b18

SHA256
d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

SHA512
30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

Download Submit
\Users\Admin\AppData\Local\Temp\nseC056.tmp\System.dll

Filesize
10KB

MD5
bf01b2d04e8fad306ba2f364cfc4edfa

SHA1
58f42b45ca9fc1818c4498ecd8bac088d20f2b18

SHA256
d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

SHA512
30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

Download Submit
memory/1416-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1416-58-0x00000000003B0000-0x00000000003C3000-memory.dmp

Filesize
76KB

Download