1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516

Analysis

max time kernel
267s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:57

Target

1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe
Size

84KB
MD5

58442dfa80848810537232ac6b984b30
SHA1

91e2980df1c7607e394c71165792ec93331a76ea
SHA256

1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516
SHA512

82f7341a0250edce4607264cb4ff203cf67b1e293572d0dcc651d44d106447e1a58d41aa2c99bb8126698b6ba18d80578e215035d8ede557d3a83fcedfe900d5
SSDEEP

1536:aWPXlG3w3whaFd6gPKcNj1NpNQ6NeYN1l:jPXlGA3wkzEcF1NpxNV

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4660 wrote to memory of 740	4660	1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe	msedge.exe
PID 4660 wrote to memory of 740	4660	1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe	msedge.exe
PID 740 wrote to memory of 1680	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1680	740	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3128	4660	1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe	msedge.exe
PID 4660 wrote to memory of 3128	4660	1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe	msedge.exe
PID 3128 wrote to memory of 3268	3128	msedge.exe	msedge.exe
PID 3128 wrote to memory of 3268	3128	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe
"C:\Users\Admin\AppData\Local\Temp\1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffae38b46f8,0x7ffae38b4708,0x7ffae38b4718
3⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1b9f65f8385b6482b5125216ffff8106d6665ddc5ec66f192a7a43ee32765516.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
2⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffae38b46f8,0x7ffae38b4708,0x7ffae38b4718
3⤵
PID:3268

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
59f470bde9e3126df8c82dc46d1dd8d7

SHA1
9dba6f67877f88260136270230a1f3d9652e7f57

SHA256
283032bfd5ee5dfc0345b8974aab2081c522b2e2559014534a981b36b5312b47

SHA512
f8aecc9de011255505226a8dc0787c34d3e784d818240bdb7a4224632f3c79bb9e933ab9c9c77211e1fda15e558df9229ca91ed36cd55e38272d5d9ea03bd568

Download Submit
memory/740-132-0x0000000000000000-mapping.dmp

Download
memory/1680-133-0x0000000000000000-mapping.dmp

Download
memory/3128-134-0x0000000000000000-mapping.dmp

Download
memory/3268-135-0x0000000000000000-mapping.dmp

Download