db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a

Analysis

max time kernel
44s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:01

Target

db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe
Size

3.6MB
MD5

e975b6225b7d8816141592c9cbdb204b
SHA1

760110b6b31b7fd2592dbdcd0a73a29043652a24
SHA256

db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a
SHA512

c1810190bd9674a06d04d04530c265583760b76239340d4366014c3e4e726b89a7f25b73b5c17dc6dbc7fe51dfe08f10b8fab9781610f825bb47e5b85f3d2c4b
SSDEEP

49152:GU0pB88kt8888Hmi8888z1gj9pk1o8hLhX:tWo

Score

4^/10

Drops file in Windows directory 2 IoCs

Processes:

ngen.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe

pid process

2028 db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe

pid process

2028 db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe

pid	process
2028	db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe

pid	process
2028	db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe

description	pid	process	target process
PID 2028 wrote to memory of 1164	2028	db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe	ngen.exe
PID 2028 wrote to memory of 1164	2028	db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe	ngen.exe
PID 2028 wrote to memory of 1164	2028	db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe	ngen.exe
PID 2028 wrote to memory of 1164	2028	db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe	ngen.exe

C:\Users\Admin\AppData\Local\Temp\db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe
"C:\Users\Admin\AppData\Local\Temp\db62c1bb5b94f1b2b349cadca4235bdb6e234828f0401eacf6a19c94e257df4a.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Users\Admin\AppData\Local\Temp"\MZALight.exe
  2⤵
  - Drops file in Windows directory
  PID:1164

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1164-58-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/2028-55-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-56-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-57-0x00000000009F6000-0x0000000000A07000-memory.dmp

Filesize
68KB

Download
memory/2028-59-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-60-0x00000000009F6000-0x0000000000A07000-memory.dmp

Filesize
68KB

Download