68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d

Analysis

max time kernel
187s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.exe
Size

7.4MB
MD5

6b1373c530bf73a64aa3508c153c2ec8
SHA1

9e541c0df4a08a2ac4451cf6d7d00a224acecec2
SHA256

68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d
SHA512

902b6c0539a8c01276a33e73c358e073bd1ea9e2865212e61d3384c21565ac3facac42ffc3f01fac0caa57c217987aedbe0b943bb7695ec98a35542e8832afef
SSDEEP

196608:OW1BePZhU9mIW1FJ08scupXLvCBaJWHChaoXTjV2dN:/1BkhU9PWFJ08+pXLi9HNojj0f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3396	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp

Loads dropped DLL 2 IoCs

pid	Process
3396	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp
3396	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3396	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp
3396	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp
3396	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp
3396	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3396	3460	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.exe	85
PID 3460 wrote to memory of 3396	3460	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.exe	85
PID 3460 wrote to memory of 3396	3460	68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.exe	85

C:\Users\Admin\AppData\Local\Temp\68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.exe
"C:\Users\Admin\AppData\Local\Temp\68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\is-UFVRV.tmp\68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UFVRV.tmp\68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp" /SL5="$A01BC,7283213,97280,C:\Users\Admin\AppData\Local\Temp\68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BARDD.tmp\DownLib.dll

Filesize
226KB

MD5
1c8c92fe26150d403eb0a1fb826ea513

SHA1
a589ac8c5026c84485ba81dd745949dd82328256

SHA256
f73c564ce5315f2a24f1d9758f39917d8c35c1dfd6d9bf1bc0e32f29a914834f

SHA512
0478aad9511c2581cc8c5eb5a76f050a5f28ad841c02ac15116fcdf20e7ea65e268d508ac7c9f20d045ba3a234363499fd30cc95e73602f1debdacd736c64e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BARDD.tmp\DownLib.dll

Filesize
226KB

MD5
1c8c92fe26150d403eb0a1fb826ea513

SHA1
a589ac8c5026c84485ba81dd745949dd82328256

SHA256
f73c564ce5315f2a24f1d9758f39917d8c35c1dfd6d9bf1bc0e32f29a914834f

SHA512
0478aad9511c2581cc8c5eb5a76f050a5f28ad841c02ac15116fcdf20e7ea65e268d508ac7c9f20d045ba3a234363499fd30cc95e73602f1debdacd736c64e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UFVRV.tmp\68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp

Filesize
1.2MB

MD5
c33cd97bb3d8bda4017f3cf45cded462

SHA1
5ab5eace09c27805297409e9fb4f05f1c8ae1579

SHA256
5d7d932876e65f031a614a88a856c89e1d2ffcce69bcd2168a30038835e271b6

SHA512
1f979e1499d96197d2fe9af8fd5043d4728cfd2464a2846dccbf364a272ab2509eb6adfb4de8d847b6a297c028b85dea574665d3df5c13266ff7f1ed51222181

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UFVRV.tmp\68aea60a4dac8dcc374acc0ddacc21378e05dab670c50290bd3e1b2f04d2537d.tmp

Filesize
1.2MB

MD5
c33cd97bb3d8bda4017f3cf45cded462

SHA1
5ab5eace09c27805297409e9fb4f05f1c8ae1579

SHA256
5d7d932876e65f031a614a88a856c89e1d2ffcce69bcd2168a30038835e271b6

SHA512
1f979e1499d96197d2fe9af8fd5043d4728cfd2464a2846dccbf364a272ab2509eb6adfb4de8d847b6a297c028b85dea574665d3df5c13266ff7f1ed51222181

Download Submit
memory/3396-134-0x0000000000000000-mapping.dmp

Download
memory/3396-140-0x0000000003410000-0x0000000003452000-memory.dmp

Filesize
264KB

Download
memory/3460-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3460-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download