719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038

Analysis

max time kernel
72s
max time network
76s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038.exe
Size

104KB
MD5

6e5f035ac8a5f1b79ccb48be4cd4fbcb
SHA1

293691c1c372f071d4706d9fe32d7b5d5e049a69
SHA256

719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038
SHA512

74acebae8f018905a32a64a11b5065cb44febbca7ec7be5155519340de38c4d467560d50c564a6c618d92b9a3c4785496980f5d1bd74e621fcab1c8d07b4fd87
SSDEEP

3072:VK0rfqc5lNsJjelRLONsoBbwAX9bRwAX9:VLrCkNsVQgsm5Xb5X

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

LocalLHoLRKEpTP.exe

pid process

1160 LocalLHoLRKEpTP.exe
Loads dropped DLL 1 IoCs

Processes:

dw20.exe

pid process

1976 dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1160	LocalLHoLRKEpTP.exe

pid	process
1976	dw20.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038.exeLocalLHoLRKEpTP.exe

description	pid	process	target process
PID 2016 wrote to memory of 1160	2016	719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038.exe	LocalLHoLRKEpTP.exe
PID 2016 wrote to memory of 1160	2016	719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038.exe	LocalLHoLRKEpTP.exe
PID 2016 wrote to memory of 1160	2016	719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038.exe	LocalLHoLRKEpTP.exe
PID 2016 wrote to memory of 1160	2016	719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038.exe	LocalLHoLRKEpTP.exe
PID 1160 wrote to memory of 1976	1160	LocalLHoLRKEpTP.exe	dw20.exe
PID 1160 wrote to memory of 1976	1160	LocalLHoLRKEpTP.exe	dw20.exe
PID 1160 wrote to memory of 1976	1160	LocalLHoLRKEpTP.exe	dw20.exe
PID 1160 wrote to memory of 1976	1160	LocalLHoLRKEpTP.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038.exe
"C:\Users\Admin\AppData\Local\Temp\719f4f63b6a39719f535b0e9e84dc65d21c8a253eb07c1e4137c43c944497038.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\LocalLHoLRKEpTP.exe
"C:\Users\Admin\AppData\LocalLHoLRKEpTP.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 904
3⤵
- Loads dropped DLL
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLHoLRKEpTP.exe

Filesize
20KB

MD5
fb0c6b18f3247f820fd8b0de1ad72f08

SHA1
f74ea4851e532c615af4ead05cf1ec6851dccacc

SHA256
f84abcc50851be58ab8701e74ac34b9af984d49510594e7c5b2712ec84e7d602

SHA512
5340265cb07978e67df0742e75e40b4a7d92b4b7800b4db3c9285c8f18d1ca15b58983e5f264dcc8fff65e8d9ab6ba50c8c3260fe20fb5429e532d0d31b8d3e9

Download Submit
C:\Users\Admin\AppData\LocalLHoLRKEpTP.exe

Filesize
20KB

MD5
fb0c6b18f3247f820fd8b0de1ad72f08

SHA1
f74ea4851e532c615af4ead05cf1ec6851dccacc

SHA256
f84abcc50851be58ab8701e74ac34b9af984d49510594e7c5b2712ec84e7d602

SHA512
5340265cb07978e67df0742e75e40b4a7d92b4b7800b4db3c9285c8f18d1ca15b58983e5f264dcc8fff65e8d9ab6ba50c8c3260fe20fb5429e532d0d31b8d3e9

Download Submit
\Users\Admin\AppData\LocalLHoLRKEpTP.exe

Filesize
20KB

MD5
fb0c6b18f3247f820fd8b0de1ad72f08

SHA1
f74ea4851e532c615af4ead05cf1ec6851dccacc

SHA256
f84abcc50851be58ab8701e74ac34b9af984d49510594e7c5b2712ec84e7d602

SHA512
5340265cb07978e67df0742e75e40b4a7d92b4b7800b4db3c9285c8f18d1ca15b58983e5f264dcc8fff65e8d9ab6ba50c8c3260fe20fb5429e532d0d31b8d3e9

Download Submit
memory/1160-56-0x0000000000000000-mapping.dmp

Download
memory/1160-60-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1160-61-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1160-62-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-63-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x000007FEF4930000-0x000007FEF5353000-memory.dmp

Filesize
10.1MB

Download
memory/2016-55-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/2016-59-0x000000001AE00000-0x000000001AE10000-memory.dmp

Filesize
64KB

Download