ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
Size

2.4MB
MD5

54a7c19c3978126a1120de7b6af5d48c
SHA1

bf8ca5950b9f0ccb64a15a192c718c5e0fab9f5b
SHA256

ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4
SHA512

28c7ff438a3b02098bb6d85ea4eabd4ce0a678ca933c5f2b7d380ed88e634677f6dbca2c0a9ede366ece329b7809029e339bb50d4444d2ac1877898c3412e1f0
SSDEEP

49152:WxoIUFS2336KoEBCGCdJzjUxnC+EnvAhezw9o+ZZ7hGeJ3TuzcC4:PIUFSbK1C7/zYxCXhzw9o+DMmyzcL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

END 4 IDM.exeend.exe

pid process

1556 END 4 IDM.exe
336 end.exe

pid	process
1556	END 4 IDM.exe
336	end.exe

Loads dropped DLL 6 IoCs

Processes:

ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.execmd.exe

pid	process
1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
1132	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exeEND 4 IDM.execmd.execmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 1556	1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe	END 4 IDM.exe
PID 1944 wrote to memory of 1556	1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe	END 4 IDM.exe
PID 1944 wrote to memory of 1556	1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe	END 4 IDM.exe
PID 1944 wrote to memory of 1556	1944	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe	END 4 IDM.exe
PID 1556 wrote to memory of 1720	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1720	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1720	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1720	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1368	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1368	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1368	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1368	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1348	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1348	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1348	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1348	1556	END 4 IDM.exe	cmd.exe
PID 1348 wrote to memory of 1744	1348	cmd.exe	attrib.exe
PID 1348 wrote to memory of 1744	1348	cmd.exe	attrib.exe
PID 1348 wrote to memory of 1744	1348	cmd.exe	attrib.exe
PID 1348 wrote to memory of 1744	1348	cmd.exe	attrib.exe
PID 1556 wrote to memory of 944	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 944	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 944	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 944	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1692	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1692	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1692	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1692	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1132	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1132	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1132	1556	END 4 IDM.exe	cmd.exe
PID 1556 wrote to memory of 1132	1556	END 4 IDM.exe	cmd.exe
PID 1132 wrote to memory of 2032	1132	cmd.exe	mode.com
PID 1132 wrote to memory of 2032	1132	cmd.exe	mode.com
PID 1132 wrote to memory of 2032	1132	cmd.exe	mode.com
PID 1132 wrote to memory of 2032	1132	cmd.exe	mode.com
PID 1132 wrote to memory of 336	1132	cmd.exe	end.exe
PID 1132 wrote to memory of 336	1132	cmd.exe	end.exe
PID 1132 wrote to memory of 336	1132	cmd.exe	end.exe
PID 1132 wrote to memory of 336	1132	cmd.exe	end.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1744 attrib.exe

pid	process
1744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
"C:\Users\Admin\AppData\Local\Temp\ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Temp\END 4 IDM.exe
"C:\Temp\END 4 IDM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
3⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
3⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
4⤵
- Views/modifies file attributes
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5099.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5099.bat"
3⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp7003.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp7003.exe"
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5099.bat "C:\Temp\END 4 IDM.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\mode.com
mode 13,1
4⤵
PID:2032

C:\Temp\end.exe
end.exe
4⤵
- Executes dropped EXE
PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
C:\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
C:\Temp\end.exe

Filesize
849KB

MD5
607598876e9dc8bcb7afb6ad25b88f10

SHA1
530cd0b31445c7a436025842dfecd10c1fccd83e

SHA256
dab4f5ba7f100ce986be92c6129534223ca700c1828509e2f456a533e56d400f

SHA512
8116fa7d887e1193a621f67069624a772be5b60978fb2e3851767813f3a63ee99a2bba27fc0a0a321180d73f1554dce9ba14159ad420463a7dbb6cca0fd71191

Download Submit
C:\Temp\end.exe

Filesize
849KB

MD5
607598876e9dc8bcb7afb6ad25b88f10

SHA1
530cd0b31445c7a436025842dfecd10c1fccd83e

SHA256
dab4f5ba7f100ce986be92c6129534223ca700c1828509e2f456a533e56d400f

SHA512
8116fa7d887e1193a621f67069624a772be5b60978fb2e3851767813f3a63ee99a2bba27fc0a0a321180d73f1554dce9ba14159ad420463a7dbb6cca0fd71191

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5099.bat

Filesize
464B

MD5
8b2d9c2fbd67ec760aafdc2c2a56e522

SHA1
940f3ab0da916586e32e50d1c123eccab399e567

SHA256
017ab84bd86d2a78da58f0a8de3a2cdad94d1d247ae6c831aae55fc5136d072e

SHA512
e03b85fedb11567e9540c224bb79faedba278b931905e236cec91316724bc423d98706a37f8079de70ea60ec32cc788e86d2e5ca3f4dabfbc219343c526566b4

Download Submit
\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
\Temp\end.exe

Filesize
849KB

MD5
607598876e9dc8bcb7afb6ad25b88f10

SHA1
530cd0b31445c7a436025842dfecd10c1fccd83e

SHA256
dab4f5ba7f100ce986be92c6129534223ca700c1828509e2f456a533e56d400f

SHA512
8116fa7d887e1193a621f67069624a772be5b60978fb2e3851767813f3a63ee99a2bba27fc0a0a321180d73f1554dce9ba14159ad420463a7dbb6cca0fd71191

Download Submit
memory/336-74-0x0000000000000000-mapping.dmp

Download
memory/336-79-0x0000000004D05000-0x0000000004D16000-memory.dmp

Filesize
68KB

Download
memory/336-78-0x0000000004D05000-0x0000000004D16000-memory.dmp

Filesize
68KB

Download
memory/336-76-0x0000000000920000-0x00000000009FC000-memory.dmp

Filesize
880KB

Download
memory/944-67-0x0000000000000000-mapping.dmp

Download
memory/1132-69-0x0000000000000000-mapping.dmp

Download
memory/1348-64-0x0000000000000000-mapping.dmp

Download
memory/1368-63-0x0000000000000000-mapping.dmp

Download
memory/1556-60-0x0000000000000000-mapping.dmp

Download
memory/1692-68-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x0000000000000000-mapping.dmp

Download
memory/1744-65-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/2032-71-0x0000000000000000-mapping.dmp

Download