acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648

Analysis

max time kernel
26s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe
Size

649KB
MD5

dacb7e1220eb00c27b2932a54611cbda
SHA1

b68549927f055eeb44732dc6aac7ca53307aebbc
SHA256

acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648
SHA512

0a328c8b32755ce13d9862c87bc09fb332e9628d48673e126fa126966bc85f95c3df5437b25feb7511485c8ed0e552efdcd7bdc8d0f002296b8d04ebd8b0b887
SSDEEP

12288:sUKT+sMaSUo0or8K6iS4mhTUcvjnYQQhgYrlZ1UE:E61aSUIrtmhgc7nYQQhHZ1U

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe

pid process

916 acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe

description pid process

Token: SeDebugPrivilege 916 acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2008 DllHost.exe

pid	process
916	acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe

description	pid	process
Token: SeDebugPrivilege	916	acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe

pid	process
2008	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe
"C:\Users\Admin\AppData\Local\Temp\acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\acde98861528c8bee00455108c48bd964d82e16bb80f2337adc2c99b86bb5648.png

Filesize
42KB

MD5
fc324e5a85bf6126ed56fe6220ffa66f

SHA1
d980c32ef3f472ceaa54c3197b80f73dd29a5837

SHA256
c0c0d345abcc3714f2a622531c2339c0e82bc36f03717abda4661d9c8fc91307

SHA512
ad1bb056b87e49b11809140f6949382e78ef922f5d58edf22574238296d5c9e4b5f1fc58aceebfbcf161469d8348f27035b1ad9180d8e09c346d2f6b1c407ef5

Download Submit
memory/916-54-0x0000000000250000-0x00000000002F8000-memory.dmp

Filesize
672KB

Download
memory/916-55-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads