ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0

Analysis

max time kernel
178s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
Size

597KB
MD5

5120de0b3afc3cc5a8567c098ac76c70
SHA1

dfba752f30b179eef82f4f32ae598ed22be82477
SHA256

ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0
SHA512

cda3849dc2d145562ee50afc48acff03289625b0f0e141736b1ca62b346d421994425fac881b8bbf9fb8613975f3f4876696e4357921bf5d109dba9d83a1d9df
SSDEEP

12288:knvpSu/qBIUxUwicfzGJeINbD3V5GaJDp/:knvUGRwhSJ3Jtp

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4540-134-0x00000000022E0000-0x0000000002412000-memory.dmp	upx
behavioral2/memory/4540-137-0x00000000022E0000-0x0000000002412000-memory.dmp	upx
behavioral2/memory/4540-138-0x00000000022E0000-0x0000000002412000-memory.dmp	upx
behavioral2/memory/4540-139-0x00000000022E0000-0x0000000002412000-memory.dmp	upx
behavioral2/memory/3952-141-0x0000000002150000-0x0000000002282000-memory.dmp	upx
behavioral2/memory/3952-145-0x0000000002150000-0x0000000002282000-memory.dmp	upx
behavioral2/memory/3952-144-0x0000000002150000-0x0000000002282000-memory.dmp	upx
behavioral2/memory/3952-147-0x0000000002150000-0x0000000002282000-memory.dmp	upx
behavioral2/memory/4540-148-0x00000000022E0000-0x0000000002412000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe

pid	process
4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe

description	pid	process
Token: SeShutdownPrivilege	4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
Token: SeCreatePagefilePrivilege	4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe

pid	process
4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe

description	pid	process	target process
PID 4540 wrote to memory of 3952	4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
PID 4540 wrote to memory of 3952	4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
PID 4540 wrote to memory of 3952	4540	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe	ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe

C:\Users\Admin\AppData\Local\Temp\ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
"C:\Users\Admin\AppData\Local\Temp\ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540

C:\Users\Admin\AppData\Local\Temp\ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe
"C:\Users\Admin\AppData\Local\Temp\ed1d3d06e257ec282ab4d126dc5991ef81ebebb2b1213f96d9e3fbd0d0608cb0.exe" /_ShowProgress
2⤵
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3952-144-0x0000000002150000-0x0000000002282000-memory.dmp

Filesize
1.2MB

Download
memory/3952-140-0x0000000000000000-mapping.dmp

Download
memory/3952-141-0x0000000002150000-0x0000000002282000-memory.dmp

Filesize
1.2MB

Download
memory/3952-145-0x0000000002150000-0x0000000002282000-memory.dmp

Filesize
1.2MB

Download
memory/3952-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3952-147-0x0000000002150000-0x0000000002282000-memory.dmp

Filesize
1.2MB

Download
memory/4540-133-0x0000000002240000-0x00000000022D6000-memory.dmp

Filesize
600KB

Download
memory/4540-134-0x00000000022E0000-0x0000000002412000-memory.dmp

Filesize
1.2MB

Download
memory/4540-137-0x00000000022E0000-0x0000000002412000-memory.dmp

Filesize
1.2MB

Download
memory/4540-138-0x00000000022E0000-0x0000000002412000-memory.dmp

Filesize
1.2MB

Download
memory/4540-139-0x00000000022E0000-0x0000000002412000-memory.dmp

Filesize
1.2MB

Download
memory/4540-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4540-148-0x00000000022E0000-0x0000000002412000-memory.dmp

Filesize
1.2MB

Download