cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe
Size

10.7MB
MD5

44b6738f0b2896dff834fe9b30aaf7a4
SHA1

85385bdfff7b624ce317c4133a58d13c8aea34e7
SHA256

cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb
SHA512

408a78ac7391c9911be91d3b1d7c4512be89103e9bfa7a206ac97a6dc714706a5cc049ca2b918ac36106fafe1899aa115b30fe7405df36a864ccf8bc412b7cab
SSDEEP

196608:bUdbjjbx8FWvc1ZMXd9M1BvLmPWh5BMLTeQDR45gb+dj02Hzn/pwNiN2x259s69:bUBHGFWvcfMXdW6Wh5eTdDYaxAn/pwUX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

software.exesoftware.tmp

pid process

3076 software.exe
3644 software.tmp
Loads dropped DLL 5 IoCs

Processes:

software.tmp

pid process

3644 software.tmp
3644 software.tmp
3644 software.tmp
3644 software.tmp
3644 software.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3076	software.exe
3644	software.tmp

pid	process
3644	software.tmp
3644	software.tmp
3644	software.tmp
3644	software.tmp
3644	software.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exesoftware.exe

description	pid	process	target process
PID 2220 wrote to memory of 3076	2220	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 2220 wrote to memory of 3076	2220	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 2220 wrote to memory of 3076	2220	cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe	software.exe
PID 3076 wrote to memory of 3644	3076	software.exe	software.tmp
PID 3076 wrote to memory of 3644	3076	software.exe	software.tmp
PID 3076 wrote to memory of 3644	3076	software.exe	software.tmp

C:\Users\Admin\AppData\Local\Temp\cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe
"C:\Users\Admin\AppData\Local\Temp\cdbd385ec40b14aeeee6abcdb72fc628167f0bf4869631ee944faed770c679bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\software.exe
C:\Users\Admin\AppData\Local\Temp\software.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\is-QOPHK.tmp\software.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QOPHK.tmp\software.tmp" /SL5="$30074,10932911,68608,C:\Users\Admin\AppData\Local\Temp\software.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QOPHK.tmp\software.tmp
Filesize
684KB

MD5
d8a7b498db39499a9205e6372bbd5301

SHA1
f5fb4bb2142c20b7cdda00ffe16275990000dd55

SHA256
218e4dba9a00fa76591cc7a17eb6434a202ca3527e80508f8d74cb355c31c2d7

SHA512
ce0fe80791fbb98d2f51b56b6bc4477b99ea1c41940c511eee1495b48188eab4178ecfad272dbf1ce2560b63297e72a6667bc476a7b3a6ea288ccdc76fcfa84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOPHK.tmp\software.tmp
Filesize
684KB

MD5
d8a7b498db39499a9205e6372bbd5301

SHA1
f5fb4bb2142c20b7cdda00ffe16275990000dd55

SHA256
218e4dba9a00fa76591cc7a17eb6434a202ca3527e80508f8d74cb355c31c2d7

SHA512
ce0fe80791fbb98d2f51b56b6bc4477b99ea1c41940c511eee1495b48188eab4178ecfad272dbf1ce2560b63297e72a6667bc476a7b3a6ea288ccdc76fcfa84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UO4AS.tmp\EncStr.dll
Filesize
97KB

MD5
a96d045389a83b44bce302a255cf06c8

SHA1
e495735d19903433546315c42ce5f2947e1eccee

SHA256
ac1da22a5ab97f94d52b3cefac7910338786b5cd4f0fb6c823e4ac91f37baf25

SHA512
28c280cfa5ebf756ebd7d3f9df23a8a05b8e1b15a2e3abc11c557329e37219e31aa18e507bce733e41e3e46b73dd186eed760d88495b6abe43fce9360bd82c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UO4AS.tmp\EncStr.dll
Filesize
97KB

MD5
a96d045389a83b44bce302a255cf06c8

SHA1
e495735d19903433546315c42ce5f2947e1eccee

SHA256
ac1da22a5ab97f94d52b3cefac7910338786b5cd4f0fb6c823e4ac91f37baf25

SHA512
28c280cfa5ebf756ebd7d3f9df23a8a05b8e1b15a2e3abc11c557329e37219e31aa18e507bce733e41e3e46b73dd186eed760d88495b6abe43fce9360bd82c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UO4AS.tmp\LogFile.dll
Filesize
227KB

MD5
11cb58def67ec8b238548c04c89db02d

SHA1
c902f2389217a289343bdf0ba75d0fcacbb9de04

SHA256
f1164cad5d93a07cf81436458741a00a79555aa679200dbae4f595dd4972dab9

SHA512
756505066c6473b45166cd40f2e545cab4c65598b928ccde093a1f69e409acc0bc2b0094952afbc6430fc3dcd3028d44db9b96ac628a168bcb3ad168c7371712

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UO4AS.tmp\LogFile.dll
Filesize
227KB

MD5
11cb58def67ec8b238548c04c89db02d

SHA1
c902f2389217a289343bdf0ba75d0fcacbb9de04

SHA256
f1164cad5d93a07cf81436458741a00a79555aa679200dbae4f595dd4972dab9

SHA512
756505066c6473b45166cd40f2e545cab4c65598b928ccde093a1f69e409acc0bc2b0094952afbc6430fc3dcd3028d44db9b96ac628a168bcb3ad168c7371712

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UO4AS.tmp\cpuinfo.dll
Filesize
52KB

MD5
a9857c3b9c339fb16e1b0d26d1ba5332

SHA1
8fe84dc2ea9b59637a4348bd1e2dbb2a8027ca10

SHA256
ea68738427039a7b58f58b7293733e222f9def6cf3828f30812d8f5aafc23768

SHA512
1ddeff4100328ffdce0609947d51bf93e749fd278977e808a722b25ed0e25aab1a75d35aa936956f53dd74363f8ab4f0558b20a0ec4ca2a33e37993a1073d779

Download Submit
C:\Users\Admin\AppData\Local\Temp\software.exe
Filesize
10.7MB

MD5
d90ac7b34abbbd60b761da9723ecb6b2

SHA1
5c8dafbb9752b8dd5b5e96034581ca9f306adce1

SHA256
24619e640dc772a20fae53d2c610ff43205a4378ac3ec7b1ffdebe5178289ed1

SHA512
debd4c179610dca3dc4f0715fada665761b7e27c631df8885041ae2a7ce00127f75a87d90e8f2c1d338cbf60429cfa6c2b725c21c7bc539c4a6124d1906093dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\software.exe
Filesize
10.7MB

MD5
d90ac7b34abbbd60b761da9723ecb6b2

SHA1
5c8dafbb9752b8dd5b5e96034581ca9f306adce1

SHA256
24619e640dc772a20fae53d2c610ff43205a4378ac3ec7b1ffdebe5178289ed1

SHA512
debd4c179610dca3dc4f0715fada665761b7e27c631df8885041ae2a7ce00127f75a87d90e8f2c1d338cbf60429cfa6c2b725c21c7bc539c4a6124d1906093dd

Download Submit
memory/3076-137-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3076-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3076-132-0x0000000000000000-mapping.dmp

Download
memory/3076-148-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3644-138-0x0000000000000000-mapping.dmp

Download
memory/3644-143-0x00000000038D0000-0x000000000390E000-memory.dmp

Filesize
248KB

Download
memory/3644-146-0x0000000003B50000-0x0000000003B6D000-memory.dmp

Filesize
116KB

Download