Analysis

  • max time kernel
    34s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2022, 20:54

General

  • Target

    0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe

  • Size

    202KB

  • MD5

    6c33623044bed83d7ab579bb8dff8fea

  • SHA1

    1181d74579c8eccc84ea5ceaf5eb85bc8934dc99

  • SHA256

    0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca

  • SHA512

    55528c731445b86dceb5ca06bea56dbe240e3af1b4976955abe49fb16391ae24163f5d47a33f048ec1f74c093c38124c2750a90a716f219c10e7331bb95c9c2c

  • SSDEEP

    3072:sUhH+lIxpQoyjeRhDMiERHi+Oaf9ZJq8/Ng8TTeYEUhOrGp2:V+qXDyShD0Fi+df9ZYaJmYZA0

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe
    "C:\Users\Admin\AppData\Local\Temp\0029ff91db128ffbe111fa51ca4dae07bc6cf31889e198f1c1e2a7741bd892ca.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe
      "C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe

    Filesize

    72KB

    MD5

    8ade27886bd4b45661361a87ff22540d

    SHA1

    705d67ad604f5a2ed770a8025299405ee665beac

    SHA256

    c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942

    SHA512

    6d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a

  • C:\Users\Admin\AppData\LocalhhNFCSRcmz.exe

    Filesize

    72KB

    MD5

    8ade27886bd4b45661361a87ff22540d

    SHA1

    705d67ad604f5a2ed770a8025299405ee665beac

    SHA256

    c1528516efee7e396698ce83ddb177e83e797b3df6f6de1c60421239e67dc942

    SHA512

    6d62f9197ddcbd0ede17686398dc527946a47fb48860e3c054cbd365bf630d44eba418652798ef8a1eded8c800d5b7c87d9d8742d3061ff7a629809c8958800a

  • memory/1252-61-0x0000000076321000-0x0000000076323000-memory.dmp

    Filesize

    8KB

  • memory/1252-62-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1252-63-0x0000000074740000-0x0000000074CEB000-memory.dmp

    Filesize

    5.7MB

  • memory/1792-54-0x000007FEF41E0000-0x000007FEF4C03000-memory.dmp

    Filesize

    10.1MB

  • memory/1792-55-0x000007FEF2F00000-0x000007FEF3F96000-memory.dmp

    Filesize

    16.6MB

  • memory/1792-56-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

    Filesize

    8KB

  • memory/1792-60-0x0000000000BF0000-0x0000000000C00000-memory.dmp

    Filesize

    64KB