5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea

Analysis

max time kernel
47s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe
Size

1.2MB
MD5

dcc17c56c5a6b57c99c43b9224e53068
SHA1

d5efd8077cd42be23d846f09bf98d9844d0a9924
SHA256

5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea
SHA512

bc0ccc5074bd4864bb7c54014f4b91918dd164947cf983e29ecee38609182859556c352f7459d074ec245a8cbb00924249d8fc9bb3d8c73d2bb9a9aec25fed5d
SSDEEP

24576:Qq6OAIPXPkMMMpdB7ZgPlgYKtpWh0URpD:RT7GetpW3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe

pid process

824 5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe

description pid process

Token: SeDebugPrivilege 824 5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

780 DllHost.exe

pid	process
824	5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe

description	pid	process
Token: SeDebugPrivilege	824	5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe

pid	process
780	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe
"C:\Users\Admin\AppData\Local\Temp\5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5523e330188bdf59c862d56c12c9d7f5a6a8bf2280c5c02780c3cbbe203403ea.png

Filesize
131KB

MD5
d8432cb4be962be7e2a6c8d21e74d042

SHA1
bae3bcb04aa62127d8d53f241b9dbb71215452c0

SHA256
734fe9bd8f91e3d85a04c2778d89a73832b604a899518f1287e3dd10152e5334

SHA512
2d8e1f663cd47eaccbbc815e2efd7253fb9259713928b73db2329c7a41e964a2cc1c24c818fa830bc4eeddf3095f0645c9fa7fe9530cf7040d11cffcca1c8322

Download Submit
memory/824-54-0x0000000000E10000-0x0000000000F44000-memory.dmp

Filesize
1.2MB

Download
memory/824-55-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads