51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5

Analysis

max time kernel
55s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe
Size

7.4MB
MD5

e2a16d804f02e0a2464b15deebbae6a3
SHA1

9b073a65d95312f2ae1d9f420c6f8f3c10d294a1
SHA256

51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5
SHA512

9c3d4df123ba926dadb04b2cc93d261c566ee4c12bc2d38f92ff848685153f00539da9c23533d93d3e2101a0f887b851d3676dd03e95fda62b8b1900044fd803
SSDEEP

196608:U4bmYIypq7th4oR6E8OZreanWJlgeT6Z4+E:Glp7th4osE8+zWX/TX+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

LocalcYjiTjXHIH.exeLocal_etDSKofpL..COM

pid process

688 LocalcYjiTjXHIH.exe
876 Local_etDSKofpL..COM
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Local_etDSKofpL..COM

pid process

876 Local_etDSKofpL..COM
876 Local_etDSKofpL..COM

pid	process
688	LocalcYjiTjXHIH.exe
876	Local_etDSKofpL..COM

pid	process
876	Local_etDSKofpL..COM
876	Local_etDSKofpL..COM

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exeLocalcYjiTjXHIH.exe

description	pid	process	target process
PID 1420 wrote to memory of 688	1420	51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe	LocalcYjiTjXHIH.exe
PID 1420 wrote to memory of 688	1420	51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe	LocalcYjiTjXHIH.exe
PID 1420 wrote to memory of 688	1420	51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe	LocalcYjiTjXHIH.exe
PID 688 wrote to memory of 1440	688	LocalcYjiTjXHIH.exe	dw20.exe
PID 688 wrote to memory of 1440	688	LocalcYjiTjXHIH.exe	dw20.exe
PID 688 wrote to memory of 1440	688	LocalcYjiTjXHIH.exe	dw20.exe
PID 1420 wrote to memory of 876	1420	51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe	Local_etDSKofpL..COM
PID 1420 wrote to memory of 876	1420	51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe	Local_etDSKofpL..COM
PID 1420 wrote to memory of 876	1420	51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe	Local_etDSKofpL..COM
PID 1420 wrote to memory of 876	1420	51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe	Local_etDSKofpL..COM

C:\Users\Admin\AppData\Local\Temp\51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe
"C:\Users\Admin\AppData\Local\Temp\51b22e919c0b5963e334fe7c130ba50bddc8c0bfb50b94422eecf05e7d9fe4e5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\LocalcYjiTjXHIH.exe
"C:\Users\Admin\AppData\LocalcYjiTjXHIH.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 368
3⤵
PID:1440

C:\Users\Admin\AppData\Local_etDSKofpL..COM
"C:\Users\Admin\AppData\Local_etDSKofpL..COM"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local_etDSKofpL..COM

Filesize
7.0MB

MD5
e056c12cccf7a957cc2ef6e2bf4d7cb7

SHA1
4b687492b1ee8de88d92e5907bcd437b20668262

SHA256
6e45d8fb219f719da8dbc34785c50063420cf1088f37bbe0cad499718ba77152

SHA512
d3c0b8a326a32ab77e24d8e01977f67f8e3e291fda45ac14d74a23d56b0b196f42b6ae30f277fdf669e9ea7a0164174e211edd56fa1b4102348bef8d67473c52

Download Submit
C:\Users\Admin\AppData\Local_etDSKofpL..COM

Filesize
7.0MB

MD5
e056c12cccf7a957cc2ef6e2bf4d7cb7

SHA1
4b687492b1ee8de88d92e5907bcd437b20668262

SHA256
6e45d8fb219f719da8dbc34785c50063420cf1088f37bbe0cad499718ba77152

SHA512
d3c0b8a326a32ab77e24d8e01977f67f8e3e291fda45ac14d74a23d56b0b196f42b6ae30f277fdf669e9ea7a0164174e211edd56fa1b4102348bef8d67473c52

Download Submit
C:\Users\Admin\AppData\LocalcYjiTjXHIH.exe

Filesize
450KB

MD5
207567cf39acb036b2353f1faf25ab43

SHA1
ca775333ad762cda183548dbdbbfe66bc302f232

SHA256
9a5bf572aec7cb409633edc9b0b617b0988e859b27019514a1bee69cee0731c5

SHA512
0bf515ffca61dcd8b4665eb4bc1a492257d674def4d610b5b3836c354af438a52407ab2a1e618562816914aa4d602c946260ea7c71db42370b29eb918606dd85

Download Submit
C:\Users\Admin\AppData\LocalcYjiTjXHIH.exe

Filesize
450KB

MD5
207567cf39acb036b2353f1faf25ab43

SHA1
ca775333ad762cda183548dbdbbfe66bc302f232

SHA256
9a5bf572aec7cb409633edc9b0b617b0988e859b27019514a1bee69cee0731c5

SHA512
0bf515ffca61dcd8b4665eb4bc1a492257d674def4d610b5b3836c354af438a52407ab2a1e618562816914aa4d602c946260ea7c71db42370b29eb918606dd85

Download Submit
memory/688-56-0x0000000000000000-mapping.dmp

Download
memory/876-60-0x0000000000000000-mapping.dmp

Download
memory/876-62-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1420-54-0x000007FEF3CD0000-0x000007FEF46F3000-memory.dmp

Filesize
10.1MB

Download
memory/1420-55-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

Filesize
8KB

Download
memory/1440-59-0x0000000000000000-mapping.dmp

Download