967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5

Analysis

max time kernel
60s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 08:27

Target

967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.exe
Size

5.8MB
MD5

8c737403922522423aef4bfebdb7488b
SHA1

82825fc9abc90b3820c17b4e8c7594ad9eef225f
SHA256

967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5
SHA512

352711dacdfcd7623860b9677f46b61b1826688d3d6dbc37088a35dfd04b2897effa31d3a65ab0ce216c5a33597f72dad5d8205cc55ba13cb7530ceef02d1ff7
SSDEEP

98304:sd8DHxusXdvQpOgU3uP3tqj+WP4UiXjivsrzD15fTPac4k+OZ:s49XRfPMYjh4XGv+X152dkZ

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp

pid process

3284 967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp

pid	process
3284	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp
3284	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp
3284	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp
3284	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.exe

description	pid	process	target process
PID 3248 wrote to memory of 3284	3248	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.exe	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp
PID 3248 wrote to memory of 3284	3248	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.exe	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp
PID 3248 wrote to memory of 3284	3248	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.exe	967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp

C:\Users\Admin\AppData\Local\Temp\967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.exe
"C:\Users\Admin\AppData\Local\Temp\967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3248

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\is-0CG04.tmp\967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp

Filesize
1.2MB

MD5
b804012eb0ffe57fc9069c8ec5cd5b48

SHA1
91ad6d0faf14d9d4e2e632d0f70ee913e1ad0e83

SHA256
11f592161793e89b896935eb3a657aa27cc01a40446363db19b9c6396b0b4511

SHA512
49b005f3f9fbc6c7de5994e848295f83405b539b504a4226ddae17ed9adb74543a8e2363acdc305f0693c17e2fa1bd1f4f5834e64f47bdb098ca3fa14b263ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0CG04.tmp\967f0c9f508ab4c3b48c4f4fe60b98025d9f8b836d520f3f0bc4ae3eaffaaab5.tmp

Filesize
1.2MB

MD5
b804012eb0ffe57fc9069c8ec5cd5b48

SHA1
91ad6d0faf14d9d4e2e632d0f70ee913e1ad0e83

SHA256
11f592161793e89b896935eb3a657aa27cc01a40446363db19b9c6396b0b4511

SHA512
49b005f3f9fbc6c7de5994e848295f83405b539b504a4226ddae17ed9adb74543a8e2363acdc305f0693c17e2fa1bd1f4f5834e64f47bdb098ca3fa14b263ef9

Download Submit
memory/3248-132-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3248-137-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3248-138-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3284-134-0x0000000000000000-mapping.dmp

Download