06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe
Size

1.5MB
MD5

17c1cf03f4ddbe757ffa14072fc5a78b
SHA1

bb0700e46e068403b94ab244768a48438568698f
SHA256

06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680
SHA512

c26c78c6d6df995f3cd0862a754c8c61dfac9d6f8579e0f8b6f4629b382517bea26b474074bd94482e8584786fb6ecf7b990f5a3649f9f62eba5e07c87e05cfe
SSDEEP

24576:LRmJkcoQricOIQxiZY1WNy+YN3N+lMlgkx+3DefdUX0UOoL/qoa2jK1zwq610rP2:IJZoQrbTFZY1WNy+l

Score

5^/10

Malware Config

Signatures

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1600-55-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 1596	1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe
1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe
1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe
1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe
1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1596	1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe	27
PID 1600 wrote to memory of 1596	1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe	27
PID 1600 wrote to memory of 1596	1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe	27
PID 1600 wrote to memory of 1596	1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe	27
PID 1600 wrote to memory of 1596	1600	06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe	27

C:\Users\Admin\AppData\Local\Temp\06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe
"C:\Users\Admin\AppData\Local\Temp\06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe
  "C:\Users\Admin\AppData\Local\Temp\06ebc32ec21227160284817dcd89f632328cfc71d4ce13d410a4b0dec6818680.exe"
  2⤵
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-57-0x000000000051CB20-mapping.dmp

Download
memory/1600-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download