c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd

Analysis

max time kernel
78s
max time network
101s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 19:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe
Size

690KB
MD5

27ea1b6fbd234c64402d0a3cc369dc13
SHA1

49bad7cd29ce4f1bb0b43ad2d325216aa753a77b
SHA256

c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd
SHA512

05df567b4e9a480cd24b3cf4e686781e9bb179cb6d64b5940698e55ab378fa964b64771ee5ee0d8e68106a42b00f0d0e13c05f457e46fe2a601a8f69afde9b28
SSDEEP

12288:JATtIOxVe8N7v4mHGIWf4hfSGwvWX2AJmB/brPpWmALJ9dzT3bb/Wk:JKqaec7hW6fq22UmJpWmAt9dzTLb/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
588	scm.exe

Loads dropped DLL 2 IoCs

pid	Process
1196	c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe
1196	c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 588	1196	c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe	30
PID 1196 wrote to memory of 588	1196	c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe	30
PID 1196 wrote to memory of 588	1196	c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe	30
PID 1196 wrote to memory of 588	1196	c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe	30

C:\Users\Admin\AppData\Local\Temp\c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe
"C:\Users\Admin\AppData\Local\Temp\c84a75d0a429492b1b865c6154caddfacfa2c33722712f937f964e3ecf1884dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\scm.exe
  scm.exe
  2⤵
  - Executes dropped EXE
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Global.ini

Filesize
83B

MD5
a964b00485adf58c3ba4d8d3bb23a000

SHA1
4f8858feacbf105c587c54a1a799d6282d09ff08

SHA256
b924b6e6a072e33a4d77a45b29ea52bb80974a168b989b376811c061aade1612

SHA512
be2b83bf5c0bb2bd303125756a9937b20845ed0186c97c08c261a920f53795accd462741e9f6abc93621403cd4e4b2cdfcd00fc2f5bdb6bec1ef253a5089d1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\SCM.exe

Filesize
5.7MB

MD5
74471d1dc51b86ee8896b2f1841c4dfb

SHA1
ec0c5134bd523af2cc0c3d29fd9494c55af9f307

SHA256
c58403fb0ac0d4454de1aa07b0eeac07fafdd86a2d558087626410f14a364f1e

SHA512
8cc950c7e73c8a3bcf67dda8b2ba25d3933148ea02289f4983f5c1293bf45b99e973043438b37438ec1c6dc18d158afbb677ed9bacac883a31f9de52f7f7f505

Download Submit
\Users\Admin\AppData\Local\Temp\SCM.exe

Filesize
5.7MB

MD5
74471d1dc51b86ee8896b2f1841c4dfb

SHA1
ec0c5134bd523af2cc0c3d29fd9494c55af9f307

SHA256
c58403fb0ac0d4454de1aa07b0eeac07fafdd86a2d558087626410f14a364f1e

SHA512
8cc950c7e73c8a3bcf67dda8b2ba25d3933148ea02289f4983f5c1293bf45b99e973043438b37438ec1c6dc18d158afbb677ed9bacac883a31f9de52f7f7f505

Download Submit
\Users\Admin\AppData\Local\Temp\SCM.exe

Filesize
5.7MB

MD5
74471d1dc51b86ee8896b2f1841c4dfb

SHA1
ec0c5134bd523af2cc0c3d29fd9494c55af9f307

SHA256
c58403fb0ac0d4454de1aa07b0eeac07fafdd86a2d558087626410f14a364f1e

SHA512
8cc950c7e73c8a3bcf67dda8b2ba25d3933148ea02289f4983f5c1293bf45b99e973043438b37438ec1c6dc18d158afbb677ed9bacac883a31f9de52f7f7f505

Download Submit
memory/1196-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download