ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb

Analysis

max time kernel
74s
max time network
85s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe
Size

208KB
MD5

b3804d4e48455b8f224ace24bbeb02b9
SHA1

fcb892e348f022f61c276190e757068d7c678982
SHA256

ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb
SHA512

3dbee52d34447aa0700936dcb0ee275f19157b13f9161f0140adc18dbffea178c64bf954790c634c64fdfb4f818155e33d6926f01f50a862a83edc34c6be7b7f
SSDEEP

6144:QJAmr43RNiyAkPrzDUDQsESu03LvaW1zU:Qemr4BkjkI0sEl03LyWO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1740	002.exe

Loads dropped DLL 2 IoCs

pid	Process
1224	ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe
1224	ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 58 IoCs

Remote System Discovery

T1018

pid	Process
1728	PING.EXE
816	PING.EXE
1304	PING.EXE
1304	PING.EXE
1948	PING.EXE
1948	PING.EXE
892	PING.EXE
2040	PING.EXE
992	PING.EXE
956	PING.EXE
796	PING.EXE
1496	PING.EXE
1692	PING.EXE
816	PING.EXE
1964	PING.EXE
1812	PING.EXE
1452	PING.EXE
1448	PING.EXE
1052	PING.EXE
1308	PING.EXE
2020	PING.EXE
1752	PING.EXE
564	PING.EXE
1092	PING.EXE
1792	PING.EXE
992	PING.EXE
864	PING.EXE
1952	PING.EXE
1504	PING.EXE
1468	PING.EXE
1104	PING.EXE
1496	PING.EXE
1324	PING.EXE
1576	PING.EXE
1916	PING.EXE
1324	PING.EXE
1256	PING.EXE
616	PING.EXE
1556	PING.EXE
1452	PING.EXE
1448	PING.EXE
1752	PING.EXE
852	PING.EXE
852	PING.EXE
456	PING.EXE
2040	PING.EXE
1728	PING.EXE
1016	PING.EXE
1104	PING.EXE
1556	PING.EXE
796	PING.EXE
996	PING.EXE
1504	PING.EXE
1524	PING.EXE
1720	PING.EXE
1468	PING.EXE
1940	PING.EXE
1224	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1740	1224	ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe	28
PID 1224 wrote to memory of 1740	1224	ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe	28
PID 1224 wrote to memory of 1740	1224	ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe	28
PID 1224 wrote to memory of 1740	1224	ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe	28
PID 1740 wrote to memory of 1040	1740	002.exe	31
PID 1740 wrote to memory of 1040	1740	002.exe	31
PID 1740 wrote to memory of 1040	1740	002.exe	31
PID 1740 wrote to memory of 1040	1740	002.exe	31
PID 1040 wrote to memory of 1504	1040	cmd.exe	33
PID 1040 wrote to memory of 1504	1040	cmd.exe	33
PID 1040 wrote to memory of 1504	1040	cmd.exe	33
PID 1040 wrote to memory of 1504	1040	cmd.exe	33
PID 1040 wrote to memory of 852	1040	cmd.exe	34
PID 1040 wrote to memory of 852	1040	cmd.exe	34
PID 1040 wrote to memory of 852	1040	cmd.exe	34
PID 1040 wrote to memory of 852	1040	cmd.exe	34
PID 1040 wrote to memory of 1728	1040	cmd.exe	35
PID 1040 wrote to memory of 1728	1040	cmd.exe	35
PID 1040 wrote to memory of 1728	1040	cmd.exe	35
PID 1040 wrote to memory of 1728	1040	cmd.exe	35
PID 1040 wrote to memory of 456	1040	cmd.exe	36
PID 1040 wrote to memory of 456	1040	cmd.exe	36
PID 1040 wrote to memory of 456	1040	cmd.exe	36
PID 1040 wrote to memory of 456	1040	cmd.exe	36
PID 1040 wrote to memory of 1016	1040	cmd.exe	37
PID 1040 wrote to memory of 1016	1040	cmd.exe	37
PID 1040 wrote to memory of 1016	1040	cmd.exe	37
PID 1040 wrote to memory of 1016	1040	cmd.exe	37
PID 1040 wrote to memory of 1104	1040	cmd.exe	38
PID 1040 wrote to memory of 1104	1040	cmd.exe	38
PID 1040 wrote to memory of 1104	1040	cmd.exe	38
PID 1040 wrote to memory of 1104	1040	cmd.exe	38
PID 1040 wrote to memory of 1948	1040	cmd.exe	39
PID 1040 wrote to memory of 1948	1040	cmd.exe	39
PID 1040 wrote to memory of 1948	1040	cmd.exe	39
PID 1040 wrote to memory of 1948	1040	cmd.exe	39
PID 1040 wrote to memory of 1304	1040	cmd.exe	40
PID 1040 wrote to memory of 1304	1040	cmd.exe	40
PID 1040 wrote to memory of 1304	1040	cmd.exe	40
PID 1040 wrote to memory of 1304	1040	cmd.exe	40
PID 1040 wrote to memory of 2040	1040	cmd.exe	41
PID 1040 wrote to memory of 2040	1040	cmd.exe	41
PID 1040 wrote to memory of 2040	1040	cmd.exe	41
PID 1040 wrote to memory of 2040	1040	cmd.exe	41
PID 1040 wrote to memory of 992	1040	cmd.exe	42
PID 1040 wrote to memory of 992	1040	cmd.exe	42
PID 1040 wrote to memory of 992	1040	cmd.exe	42
PID 1040 wrote to memory of 992	1040	cmd.exe	42
PID 1040 wrote to memory of 1752	1040	cmd.exe	43
PID 1040 wrote to memory of 1752	1040	cmd.exe	43
PID 1040 wrote to memory of 1752	1040	cmd.exe	43
PID 1040 wrote to memory of 1752	1040	cmd.exe	43
PID 1040 wrote to memory of 1452	1040	cmd.exe	44
PID 1040 wrote to memory of 1452	1040	cmd.exe	44
PID 1040 wrote to memory of 1452	1040	cmd.exe	44
PID 1040 wrote to memory of 1452	1040	cmd.exe	44
PID 1040 wrote to memory of 796	1040	cmd.exe	45
PID 1040 wrote to memory of 796	1040	cmd.exe	45
PID 1040 wrote to memory of 796	1040	cmd.exe	45
PID 1040 wrote to memory of 796	1040	cmd.exe	45
PID 1040 wrote to memory of 1496	1040	cmd.exe	46
PID 1040 wrote to memory of 1496	1040	cmd.exe	46
PID 1040 wrote to memory of 1496	1040	cmd.exe	46
PID 1040 wrote to memory of 1496	1040	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe
"C:\Users\Admin\AppData\Local\Temp\ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\002.exe
  "C:\Users\Admin\AppData\Local\Temp\002.exe" "C:\Users\Admin\AppData\Local\Temp\ecab545a4aa3dc658de5d77bfbb704509e0fd43da9ff8183234cafd2ea56cdbb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1148.bat" "C:\Users\Admin\AppData\Local\Temp\002.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1504
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:852
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1728
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:456
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1016
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1104
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1948
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1304
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2040
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:992
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1752
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1452
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:796
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1496
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1448
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1468
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:816
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1324
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1692
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1556
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1104
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1948
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1304
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2040
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:992
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1752
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1452
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:796
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1496
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1448
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1468
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:816
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1324
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1964
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1940
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:956
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:864
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1576
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:996
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1052
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:564
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1256
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:616
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1504
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:852
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1728
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1916
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1556
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1524
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1308
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:892
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2020
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1092
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1224
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1792
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1720
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1812
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\002.exe

Filesize
201KB

MD5
13ec3d96d699d003a5fab495d707fbd4

SHA1
1668719aae4dce59c75e8ea42fbe7b7895a38070

SHA256
9afac7c45000c57c3aeefb85e2b10370052894a679f9166a92606c65d3a66920

SHA512
6feb2d33184ac81d0ceb864cc617b414822fb8c1e609a5f870ca5bf866405fac99759a6bce9720fde3e7f454678144fb5af0e2cf1e8b3267e1d5add2ab1d1320

Download Submit
C:\Users\Admin\AppData\Local\Temp\002.exe

Filesize
201KB

MD5
13ec3d96d699d003a5fab495d707fbd4

SHA1
1668719aae4dce59c75e8ea42fbe7b7895a38070

SHA256
9afac7c45000c57c3aeefb85e2b10370052894a679f9166a92606c65d3a66920

SHA512
6feb2d33184ac81d0ceb864cc617b414822fb8c1e609a5f870ca5bf866405fac99759a6bce9720fde3e7f454678144fb5af0e2cf1e8b3267e1d5add2ab1d1320

Download Submit
C:\Users\Admin\AppData\Local\Temp\1148.bat

Filesize
205B

MD5
af942e21a17f04903c52cb28a9b89542

SHA1
ebcfe47bad384564346db4141d26e3e68f9f984f

SHA256
c62a90b84dac61f74122f6eaa01665155a18b28a68b799a963f8a877194f922d

SHA512
790decec1485e8fc42c3ee09a3e871ee95fdf2bf2e5f15556de0a5b5db2106114d79206acf2dcf3e7c0dbe9df7b1298e0b3f7247a34d9d3bd9f296cc9b61211a

Download Submit
\Users\Admin\AppData\Local\Temp\002.exe

Filesize
201KB

MD5
13ec3d96d699d003a5fab495d707fbd4

SHA1
1668719aae4dce59c75e8ea42fbe7b7895a38070

SHA256
9afac7c45000c57c3aeefb85e2b10370052894a679f9166a92606c65d3a66920

SHA512
6feb2d33184ac81d0ceb864cc617b414822fb8c1e609a5f870ca5bf866405fac99759a6bce9720fde3e7f454678144fb5af0e2cf1e8b3267e1d5add2ab1d1320

Download Submit
\Users\Admin\AppData\Local\Temp\002.exe

Filesize
201KB

MD5
13ec3d96d699d003a5fab495d707fbd4

SHA1
1668719aae4dce59c75e8ea42fbe7b7895a38070

SHA256
9afac7c45000c57c3aeefb85e2b10370052894a679f9166a92606c65d3a66920

SHA512
6feb2d33184ac81d0ceb864cc617b414822fb8c1e609a5f870ca5bf866405fac99759a6bce9720fde3e7f454678144fb5af0e2cf1e8b3267e1d5add2ab1d1320

Download Submit
memory/1224-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download