bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01

Analysis

max time kernel
141s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 09:37

Target

bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01.exe
Size

7.5MB
MD5

2c85516094c7c43a78531c088beca226
SHA1

80750dd8a8915896f2c4e35ad75a591f874da6e5
SHA256

bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01
SHA512

d65d2b399d5ff235382da57026cc251871e0ce21b6024e2670ea76f401b280c688cd5dffbca9ce1d540061e6e16270dd4043079be029501db9170493310d81ab
SSDEEP

196608:+wvscxVJ579xePIS8CABG+W6KzPOIWndPjggRG9Ed8:zkcxVJ5hx7S8dY+W6KrWndPjSE

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	Data Encoder.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
948	bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01.exe
Token: SeDebugPrivilege	900	Data Encoder.exe
Token: SeDebugPrivilege	1684	Data Encoder.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 900	948	bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01.exe	28
PID 948 wrote to memory of 900	948	bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01.exe	28
PID 948 wrote to memory of 900	948	bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01.exe	28
PID 948 wrote to memory of 900	948	bb55766f4e5a638dbfb458013ba3e41f08bcbb066c11bf123ea2c825c365bb01.exe	28
PID 900 wrote to memory of 1688	900	Data Encoder.exe	29
PID 900 wrote to memory of 1688	900	Data Encoder.exe	29
PID 900 wrote to memory of 1688	900	Data Encoder.exe	29
PID 900 wrote to memory of 1688	900	Data Encoder.exe	29
PID 900 wrote to memory of 976	900	Data Encoder.exe	31
PID 900 wrote to memory of 976	900	Data Encoder.exe	31
PID 900 wrote to memory of 976	900	Data Encoder.exe	31
PID 900 wrote to memory of 976	900	Data Encoder.exe	31
PID 112 wrote to memory of 1684	112	explorer.exe	33
PID 112 wrote to memory of 1684	112	explorer.exe	33
PID 112 wrote to memory of 1684	112	explorer.exe	33
PID 112 wrote to memory of 1684	112	explorer.exe	33

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\AppData\Local\Temp\Data Encoder\Data Encoder.exe
  "C:\Users\Admin\AppData\Local\Temp\Data Encoder\Data Encoder.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1684

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Data-Encoder.com\Data_Encoder.exe_Url_xtjzu2fgm5p10skqizlpbh3eejid2zfg\1.0.1.7\user.config

Filesize
786B

MD5
39b03f6281329112feb93aa0f57c124f

SHA1
d2c78ad0d26fca21d8fedc618efe0ede8f299ee3

SHA256
4e41804b6ccc4d0840abfdfd32bcdde5ecb1459f8ed1f87b9b497eb4b8c335fb

SHA512
a652a049f83b7e1ebf503028c7996d8ea21436d360d1219e5bd8d399e0044cdfca3f7ee64aa4414ad6ebffa14f259d76f33d0ae305cf05ac0bdb6b3ca6bfb375

Download Submit
memory/948-54-0x0000000000100000-0x000000000088A000-memory.dmp

Filesize
7.5MB

Download
memory/948-55-0x0000000009620000-0x000000000A4A6000-memory.dmp

Filesize
14.5MB

Download
memory/948-56-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/948-57-0x0000000004E80000-0x0000000004F60000-memory.dmp

Filesize
896KB

Download
memory/948-58-0x0000000000D70000-0x0000000000DB2000-memory.dmp

Filesize
264KB

Download
memory/976-63-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

Filesize
8KB

Download
memory/1684-66-0x0000000000140000-0x00000000008CA000-memory.dmp

Filesize
7.5MB

Download
memory/1684-69-0x0000000005236000-0x0000000005247000-memory.dmp

Filesize
68KB

Download
memory/1684-70-0x0000000005236000-0x0000000005247000-memory.dmp

Filesize
68KB

Download