00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4

Analysis

max time kernel
50s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 21:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe
Size

557KB
MD5

e5a7d97840393acd5748d65cc47c6078
SHA1

e3e6203c3305455f089683bb0638e7b06fbf3c39
SHA256

00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4
SHA512

0937f4ecb82caddda835a06bb20ac853486a8b0888227d7beffae587447ed9d28513374628c58131c9a3b7a94d8c669145fe9b2e7446e6c43913d4c9229a957a
SSDEEP

12288:c8qUjMNlQ9tnIivCeeP68XRz9kNKEREMfDYpcJRESK+VBaSqnK:UQMctI1Rz9TERlbKKBYn

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1660-55-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1660-56-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/268-63-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/1660-65-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
300	cmd.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1660-56-0x0000000000400000-0x000000000053F000-memory.dmp	autoit_exe
behavioral1/memory/1660-65-0x0000000000400000-0x000000000053F000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 268	1660	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 268	1660	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	28
PID 1660 wrote to memory of 268	1660	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	28
PID 1660 wrote to memory of 268	1660	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	28
PID 1660 wrote to memory of 268	1660	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	28
PID 1660 wrote to memory of 268	1660	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	28
PID 1660 wrote to memory of 268	1660	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	28
PID 268 wrote to memory of 300	268	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	29
PID 268 wrote to memory of 300	268	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	29
PID 268 wrote to memory of 300	268	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	29
PID 268 wrote to memory of 300	268	00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe	29

C:\Users\Admin\AppData\Local\Temp\00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe
"C:\Users\Admin\AppData\Local\Temp\00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe
  "C:\Users\Admin\AppData\Local\Temp\00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.bat
    3⤵
    - Deletes itself
    PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00049ec777d6814d0e1cd705ecc27c0e6f4234404d58b5e2a860fdcf0d8a5ec4.bat

Filesize
350B

MD5
e145811c58f43a1f5317d7ded2bfc72e

SHA1
d7b2432770e4f1c8ad39c0b5fb743eeaec1a16b4

SHA256
310319372ff06549f19b7adf1ebb1c5d39b6c7917ddda56a91c94f9dcb3f4214

SHA512
6c14d78733c8e658ae08a90119e9f3a5113eb1d3ad770fc34cb11af5e8609125cec02e3c8b2d97aa30aa06d8a6622a3538cf311183bdb3e86cf4e25faa7d713e

Download Submit
memory/268-61-0x00000000000C0000-0x000000000010B000-memory.dmp

Filesize
300KB

Download
memory/268-57-0x00000000000C0000-0x000000000010B000-memory.dmp

Filesize
300KB

Download
memory/268-59-0x00000000000C0000-0x000000000010B000-memory.dmp

Filesize
300KB

Download
memory/268-63-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/268-66-0x00000000000C0000-0x000000000010B000-memory.dmp

Filesize
300KB

Download
memory/268-68-0x00000000000C0000-0x000000000010B000-memory.dmp

Filesize
300KB

Download
memory/1660-56-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1660-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/1660-62-0x00000000036D0000-0x000000000380F000-memory.dmp

Filesize
1.2MB

Download
memory/1660-65-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/1660-55-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download