83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a

Analysis

max time kernel
130s
max time network
136s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:49

Target

83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exe
Size

56KB
MD5

2c989d105bb6a48f0b129a544c72d3db
SHA1

2db15f13e32c5b056e4469ce6b161b455fd9f84b
SHA256

83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a
SHA512

3212841147d44bfb43dd0c53b07e257325846cdf6878ec69ed0ed7069d99f679fedb68e5fba07478567a2c2d1e49544519d8bf7bd805ce7a319f016021d92350
SSDEEP

768:i7VGsDZQVzeK9S/a+QcvrQlEoOcvlDYyRN83+6qHOrFG0zu9rS+jTho0wksML60p:4BZazGan0QnAyjC+6KO80urSIhoHM/

Score

7^/10

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1928 svchost.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1760 NOTEPAD.EXE

pid	process
1928	svchost.exe

pid	process
1760	NOTEPAD.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exe

pid	process
1048	83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exe
1048	83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exesvchost.exe

description	pid	process	target process
PID 1048 wrote to memory of 1928	1048	83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exe	svchost.exe
PID 1048 wrote to memory of 1928	1048	83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exe	svchost.exe
PID 1048 wrote to memory of 1928	1048	83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exe	svchost.exe
PID 1048 wrote to memory of 1928	1048	83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.exe	svchost.exe
PID 1928 wrote to memory of 1760	1928	svchost.exe	NOTEPAD.EXE
PID 1928 wrote to memory of 1760	1928	svchost.exe	NOTEPAD.EXE
PID 1928 wrote to memory of 1760	1928	svchost.exe	NOTEPAD.EXE
PID 1928 wrote to memory of 1760	1928	svchost.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\83a5d394ef787e040282d86a6dc4692ebc347fca32f8f120ed2ea4641876da8a.txt

Filesize
80B

MD5
ce6235f3d42b3114fc9397894dd093ee

SHA1
d852cc237fb77bf3494bce94f1e3780b68e8f902

SHA256
96dc678f0b7166b888edc4683bb23f5419e3495efe3d70060613ea092e012c03

SHA512
be0fe7fe10dc5446c0717af428535bb394481164edfc238fcfa4bed42a24dafecd6e65fc6a39d6bc890f9361f40d8ec2b3611a047a3b8cea236990ef778c3d03

Download Submit
memory/1048-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-60-0x0000000000000000-mapping.dmp

Download
memory/1928-54-0x0000000000000000-mapping.dmp

Download
memory/1928-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1928-58-0x0000000000080000-0x0000000000085000-memory.dmp

Filesize
20KB

Download
memory/1928-57-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/1928-59-0x00000000002E0000-0x0000000000360000-memory.dmp

Filesize
512KB

Download