63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae

Analysis

max time kernel
86s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe
Size

3.9MB
MD5

40c18e61dc14c82ba5590e7b77a3f4fa
SHA1

22d75a1f60bc8621c7401968f9889e84a3deb471
SHA256

63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae
SHA512

6d80043635ae7bdbace65052213e1414be0bd21c71888bb64cd04b200165d42580c59388cc77dae8ffc32d49ae002d536c4b27315ed321b5b7a9b6aefd3b0321
SSDEEP

98304:+fkpCS+cVB8zNPpudYr5FP+DcQ/hN6IX9Bwn7sbqy:+sR+fzOSr5NQ/h7s7sb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

0120A8.exe016A18

pid process

1500 0120A8.exe
1760 016A18

pid	process
1500	0120A8.exe
1760	016A18

Loads dropped DLL 6 IoCs

Processes:

63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exedw20.exe

pid	process
908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe
908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe
908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe
1752	dw20.exe
1752	dw20.exe
1752	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe016A18

description	pid	process	target process
PID 908 wrote to memory of 1500	908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe	0120A8.exe
PID 908 wrote to memory of 1500	908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe	0120A8.exe
PID 908 wrote to memory of 1500	908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe	0120A8.exe
PID 908 wrote to memory of 1500	908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe	0120A8.exe
PID 908 wrote to memory of 1760	908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe	016A18
PID 908 wrote to memory of 1760	908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe	016A18
PID 908 wrote to memory of 1760	908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe	016A18
PID 908 wrote to memory of 1760	908	63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe	016A18
PID 1760 wrote to memory of 1752	1760	016A18	dw20.exe
PID 1760 wrote to memory of 1752	1760	016A18	dw20.exe
PID 1760 wrote to memory of 1752	1760	016A18	dw20.exe
PID 1760 wrote to memory of 1752	1760	016A18	dw20.exe

C:\Users\Admin\AppData\Local\Temp\63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe
"C:\Users\Admin\AppData\Local\Temp\63c8f8b5b5f2ab409fbd446b608daf7135188d8a31c8aa30f9d977e03b425dae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\033458\0120A8.exe
"C:\Users\Admin\AppData\Roaming\033458\0120A8.exe" -launcher
2⤵
- Executes dropped EXE
PID:1500

C:\Users\Admin\AppData\Local\Temp\016A18
"C:\Users\Admin\AppData\Local\Temp\016A18"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 412
3⤵
- Loads dropped DLL
PID:1752

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\016A18
Filesize
3.2MB

MD5
aeb5ef6fd3227c8d84eee40a1a031ad7

SHA1
5991bbdc09b4518a3b7fd91a2d266f32a905ec25

SHA256
a40b2333e99c25127ed60ff8d7b35f77bc19c7b0bd4df76f0fa7372d86afc61a

SHA512
0ed51d8f91e7bbf21ad519693a0dd7fcd2c1a45363210c541bb438a4140a27cf9558a02c923e052b5688141c375b35ec183d2922edd782e5b83fdf71e60a289d

Download Submit
C:\Users\Admin\AppData\Local\Temp\016A18
Filesize
3.2MB

MD5
aeb5ef6fd3227c8d84eee40a1a031ad7

SHA1
5991bbdc09b4518a3b7fd91a2d266f32a905ec25

SHA256
a40b2333e99c25127ed60ff8d7b35f77bc19c7b0bd4df76f0fa7372d86afc61a

SHA512
0ed51d8f91e7bbf21ad519693a0dd7fcd2c1a45363210c541bb438a4140a27cf9558a02c923e052b5688141c375b35ec183d2922edd782e5b83fdf71e60a289d

Download Submit
C:\Users\Admin\AppData\Roaming\033458\0120A8.exe
Filesize
239KB

MD5
5606e085ba84844e2b1d80a84eaba626

SHA1
0f395b49b525f5e3f20677e86859ad022c03ca15

SHA256
a77d86bb3ea048da8f58e993d5b8d744888ae32ea4df6c761ff973d9d92c281b

SHA512
e7526a651a17da302afb2e99fb298750acf9841f4d427350973835249580668eda25f62e0fefba05418d4ad4d781bff696bbebc88e243802224bf834cc9e1e3a

Download Submit
C:\Users\Admin\AppData\Roaming\033458\0120A8.exe
Filesize
239KB

MD5
5606e085ba84844e2b1d80a84eaba626

SHA1
0f395b49b525f5e3f20677e86859ad022c03ca15

SHA256
a77d86bb3ea048da8f58e993d5b8d744888ae32ea4df6c761ff973d9d92c281b

SHA512
e7526a651a17da302afb2e99fb298750acf9841f4d427350973835249580668eda25f62e0fefba05418d4ad4d781bff696bbebc88e243802224bf834cc9e1e3a

Download Submit
\Users\Admin\AppData\Local\Temp\016A18
Filesize
3.2MB

MD5
aeb5ef6fd3227c8d84eee40a1a031ad7

SHA1
5991bbdc09b4518a3b7fd91a2d266f32a905ec25

SHA256
a40b2333e99c25127ed60ff8d7b35f77bc19c7b0bd4df76f0fa7372d86afc61a

SHA512
0ed51d8f91e7bbf21ad519693a0dd7fcd2c1a45363210c541bb438a4140a27cf9558a02c923e052b5688141c375b35ec183d2922edd782e5b83fdf71e60a289d

Download Submit
\Users\Admin\AppData\Local\Temp\016A18
Filesize
3.2MB

MD5
aeb5ef6fd3227c8d84eee40a1a031ad7

SHA1
5991bbdc09b4518a3b7fd91a2d266f32a905ec25

SHA256
a40b2333e99c25127ed60ff8d7b35f77bc19c7b0bd4df76f0fa7372d86afc61a

SHA512
0ed51d8f91e7bbf21ad519693a0dd7fcd2c1a45363210c541bb438a4140a27cf9558a02c923e052b5688141c375b35ec183d2922edd782e5b83fdf71e60a289d

Download Submit
\Users\Admin\AppData\Local\Temp\016A18
Filesize
3.2MB

MD5
aeb5ef6fd3227c8d84eee40a1a031ad7

SHA1
5991bbdc09b4518a3b7fd91a2d266f32a905ec25

SHA256
a40b2333e99c25127ed60ff8d7b35f77bc19c7b0bd4df76f0fa7372d86afc61a

SHA512
0ed51d8f91e7bbf21ad519693a0dd7fcd2c1a45363210c541bb438a4140a27cf9558a02c923e052b5688141c375b35ec183d2922edd782e5b83fdf71e60a289d

Download Submit
\Users\Admin\AppData\Local\Temp\016A18
Filesize
3.2MB

MD5
aeb5ef6fd3227c8d84eee40a1a031ad7

SHA1
5991bbdc09b4518a3b7fd91a2d266f32a905ec25

SHA256
a40b2333e99c25127ed60ff8d7b35f77bc19c7b0bd4df76f0fa7372d86afc61a

SHA512
0ed51d8f91e7bbf21ad519693a0dd7fcd2c1a45363210c541bb438a4140a27cf9558a02c923e052b5688141c375b35ec183d2922edd782e5b83fdf71e60a289d

Download Submit
\Users\Admin\AppData\Roaming\033458\0120A8.exe
Filesize
239KB

MD5
5606e085ba84844e2b1d80a84eaba626

SHA1
0f395b49b525f5e3f20677e86859ad022c03ca15

SHA256
a77d86bb3ea048da8f58e993d5b8d744888ae32ea4df6c761ff973d9d92c281b

SHA512
e7526a651a17da302afb2e99fb298750acf9841f4d427350973835249580668eda25f62e0fefba05418d4ad4d781bff696bbebc88e243802224bf834cc9e1e3a

Download Submit
\Users\Admin\AppData\Roaming\033458\0120A8.exe
Filesize
239KB

MD5
5606e085ba84844e2b1d80a84eaba626

SHA1
0f395b49b525f5e3f20677e86859ad022c03ca15

SHA256
a77d86bb3ea048da8f58e993d5b8d744888ae32ea4df6c761ff973d9d92c281b

SHA512
e7526a651a17da302afb2e99fb298750acf9841f4d427350973835249580668eda25f62e0fefba05418d4ad4d781bff696bbebc88e243802224bf834cc9e1e3a

Download Submit
memory/908-55-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/908-75-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/908-66-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/908-54-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/908-77-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1500-58-0x0000000000000000-mapping.dmp

Download
memory/1500-62-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1500-61-0x0000000000450000-0x0000000000477000-memory.dmp

Filesize
156KB

Download
memory/1752-69-0x0000000000000000-mapping.dmp

Download
memory/1760-64-0x0000000000000000-mapping.dmp

Download
memory/1760-76-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1760-74-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download