4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4

Analysis

max time kernel
27s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 22:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4.exe
Size

256KB
MD5

d29d1e200ad2f57d22fa6f1e8b68e2c5
SHA1

65d14b6441971614365a68d04506ee9b62187be3
SHA256

4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4
SHA512

caa4b4777492e11faa13f481325404e52f66332dbea5f41c969b94eab68d8db1eb19aabab55a607c228297faccf325ae078b251d976e49776ed0b4098874a614
SSDEEP

3072:bMSncRzAOqMMSncRzAOQvL9FjDtvGxCwOO4SpAI906oRO71AY6a2v:ASncRlaSncRl1GOHplC6oRO6Da

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1760	IMAGE1.EXE

Loads dropped DLL 1 IoCs

pid	Process
1272	4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1760	1272	4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4.exe	28
PID 1272 wrote to memory of 1760	1272	4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4.exe	28
PID 1272 wrote to memory of 1760	1272	4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4.exe	28
PID 1272 wrote to memory of 1760	1272	4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4.exe	28

C:\Users\Admin\AppData\Local\Temp\4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4.exe
"C:\Users\Admin\AppData\Local\Temp\4e2ce757f292b2112b696f9215b7c4ab7f2cf3da1ecdce549d805e154de58cb4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\IMAGE1.EXE
  "C:\Users\Admin\AppData\Local\Temp\IMAGE1.EXE"
  2⤵
  - Executes dropped EXE
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMAGE1.EXE

Filesize
53KB

MD5
098062dde5741b0b42e73060a1b95db0

SHA1
803e9fd3f740cfebb06333a7e056e6b6dbdc10d1

SHA256
63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611

SHA512
69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a

Download Submit
\Users\Admin\AppData\Local\Temp\IMAGE1.EXE

Filesize
53KB

MD5
098062dde5741b0b42e73060a1b95db0

SHA1
803e9fd3f740cfebb06333a7e056e6b6dbdc10d1

SHA256
63e2cb9d0bfc79659e24fb3b119b249691dc79c5da7c42f7e79a9dcdd8ccd611

SHA512
69a18ec7f7fc8e49c2ef9f0ffc62020bd603f6874ecf6cc2c16351aaddad4a3ef37a7575c6f44065aa1cf606d2ad85275a003105cbe4527d9a9b035d6bfd678a

Download Submit
memory/1272-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download