8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe
Size

203KB
MD5

add1972205939a6a4a50f6020faada08
SHA1

bea81e70bbf8707e8bdf0bb1bb042aa2ef6e7ab6
SHA256

8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213
SHA512

05822d9b1b822469e1a530d7b9f6fc87d4c3f20d4129db57dd43ac0a9f647ea74c537408e8aa418dc1ad4723f17d02e722579b6710d79d377f67e50c8e2ea1fc
SSDEEP

3072:hwxVMhOC/dTDbq91+mno3t4QZQ3rtxB5vvexow+oAXLLVMRlSZZzzBL:hTfFDbRnOTrt57LNHzF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1984 server.exe

pid	process
1984	server.exe

Loads dropped DLL 2 IoCs

Processes:

8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe

pid	process
2044	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe
2044	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.exe

pid process

1984 server.exe
1984 server.exe

pid	process
1984	server.exe
1984	server.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exeserver.exe

description	pid	process	target process
PID 2044 wrote to memory of 1984	2044	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe	server.exe
PID 2044 wrote to memory of 1984	2044	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe	server.exe
PID 2044 wrote to memory of 1984	2044	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe	server.exe
PID 2044 wrote to memory of 1984	2044	8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe	server.exe
PID 1984 wrote to memory of 1216	1984	server.exe	Explorer.EXE
PID 1984 wrote to memory of 1216	1984	server.exe	Explorer.EXE
PID 1984 wrote to memory of 1216	1984	server.exe	Explorer.EXE
PID 1984 wrote to memory of 1216	1984	server.exe	Explorer.EXE
PID 1984 wrote to memory of 1216	1984	server.exe	Explorer.EXE
PID 1984 wrote to memory of 1216	1984	server.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe
"C:\Users\Admin\AppData\Local\Temp\8759d4336aba4c008db14f9190bc13af45304ccf5507d8305f09bd22ab004213.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
28KB

MD5
6c9fec39742d63543f96f1b4fd2e241d

SHA1
3d31f79da5f61dea342ca6e2e3ba5b6a8c43b384

SHA256
c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0

SHA512
08cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
28KB

MD5
6c9fec39742d63543f96f1b4fd2e241d

SHA1
3d31f79da5f61dea342ca6e2e3ba5b6a8c43b384

SHA256
c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0

SHA512
08cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
28KB

MD5
6c9fec39742d63543f96f1b4fd2e241d

SHA1
3d31f79da5f61dea342ca6e2e3ba5b6a8c43b384

SHA256
c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0

SHA512
08cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
28KB

MD5
6c9fec39742d63543f96f1b4fd2e241d

SHA1
3d31f79da5f61dea342ca6e2e3ba5b6a8c43b384

SHA256
c9718d91177b99a336c04c91013f310727a90eb4621edb16a9b97c9c5c8d4de0

SHA512
08cddba84ee608c61f7e6362165339524bc94b8cacaf62e629d83326a9fd033d5c1c75067c6b7a8fb1240f0c586ff83dffb2734d1eb852da72cc3df913824bc3

Download Submit
memory/1216-63-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1984-57-0x0000000000000000-mapping.dmp

Download
memory/1984-61-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1984-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2044-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download