Analysis
-
max time kernel
29s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:46
Static task
static1
Behavioral task
behavioral1
Sample
8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe
Resource
win10v2004-20221111-en
General
-
Target
8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe
-
Size
203KB
-
MD5
add1972205939a6a4a50f6020faada08
-
SHA1
bea81e70bbf8707e8bdf0bb1bb042aa2ef6e7ab6
-
SHA256
8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213
-
SHA512
05822d9b1b822469e1a530d7b9f6fc87d4c3f20d4129db57dd43ac0a9f647ea74c537408e8aa418dc1ad4723f17d02e722579b6710d79d377f67e50c8e2ea1fc
-
SSDEEP
3072:hwxVMhOC/dTDbq91+mno3t4QZQ3rtxB5vvexow+oAXLLVMRlSZZzzBL:hTfFDbRnOTrt57LNHzF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1984 server.exe -
Loads dropped DLL 2 IoCs
Processes:
8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exepid process 2044 8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe 2044 8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
server.exepid process 1984 server.exe 1984 server.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exeserver.exedescription pid process target process PID 2044 wrote to memory of 1984 2044 8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe server.exe PID 2044 wrote to memory of 1984 2044 8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe server.exe PID 2044 wrote to memory of 1984 2044 8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe server.exe PID 2044 wrote to memory of 1984 2044 8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe server.exe PID 1984 wrote to memory of 1216 1984 server.exe Explorer.EXE PID 1984 wrote to memory of 1216 1984 server.exe Explorer.EXE PID 1984 wrote to memory of 1216 1984 server.exe Explorer.EXE PID 1984 wrote to memory of 1216 1984 server.exe Explorer.EXE PID 1984 wrote to memory of 1216 1984 server.exe Explorer.EXE PID 1984 wrote to memory of 1216 1984 server.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe"C:\Users\Admin\AppData\Local\Temp\8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
28KB
MD56c9fec39742d63543f96f1b4fd2e241d
SHA13d31f79da5f61dea342ca6e2e3ba5b6a8c43b384
SHA256c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0
SHA51208cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
28KB
MD56c9fec39742d63543f96f1b4fd2e241d
SHA13d31f79da5f61dea342ca6e2e3ba5b6a8c43b384
SHA256c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0
SHA51208cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
28KB
MD56c9fec39742d63543f96f1b4fd2e241d
SHA13d31f79da5f61dea342ca6e2e3ba5b6a8c43b384
SHA256c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0
SHA51208cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
28KB
MD56c9fec39742d63543f96f1b4fd2e241d
SHA13d31f79da5f61dea342ca6e2e3ba5b6a8c43b384
SHA256c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0
SHA51208cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3
-
memory/1216-63-0x000000007EFC0000-0x000000007EFC6000-memory.dmpFilesize
24KB
-
memory/1984-57-0x0000000000000000-mapping.dmp
-
memory/1984-61-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/1984-62-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2044-54-0x0000000076651000-0x0000000076653000-memory.dmpFilesize
8KB