826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

Analysis

max time kernel
238s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 15:55

Target

826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe
Size

112KB
MD5

c873bd40adeab42b477853bb62acacf0
SHA1

286144bec4309fedd9276eb7dfde218eb39b87ef
SHA256

826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d
SHA512

cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931
SSDEEP

1536:gL5v4jy+2tZOR6+K+gvg0vNZnknHOTuc5PYfiU+TEEn+IQSzohftO:g/g+vg0nnqOTuCPCiU+TEpSz4t

Score

8^/10

Executes dropped EXE 2 IoCs

pid	Process
1672	Azxigc.exe
1328	Terms.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Terms.EXE	Azxigc.exe
File opened for modification	C:\Windows\Terms.EXE	Azxigc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1672	Azxigc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1672	1348	826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe	28
PID 1348 wrote to memory of 1672	1348	826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe	28
PID 1348 wrote to memory of 1672	1348	826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe	28
PID 1348 wrote to memory of 1672	1348	826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe	28
PID 1672 wrote to memory of 1004	1672	Azxigc.exe	30
PID 1672 wrote to memory of 1004	1672	Azxigc.exe	30
PID 1672 wrote to memory of 1004	1672	Azxigc.exe	30
PID 1672 wrote to memory of 1004	1672	Azxigc.exe	30

C:\Users\Admin\AppData\Local\Temp\826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe
"C:\Users\Admin\AppData\Local\Temp\826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Azxigc.exe
  "C:\Azxigc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\8098.vbs"
    3⤵
    PID:1004

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\8098.vbs

Filesize
500B

MD5
787e1683b7b40144f9b5bf139c03afcf

SHA1
b248f0e472baa453fa3618bc88822e5797f1a00d

SHA256
87f13b08398ae275bd7e03267f1274bf2780dffcf60154dd3fa2cbf20f63a027

SHA512
263fe7a515e1b9e7c0f1b7342a187b682cc90feb6fc67fd5c1e17e74eb5540b6ea323d48a4ef05affd15c24ff8340139a028df7052055ceda0a72dc50a7e4c77

Download Submit
C:\Azxigc.exe

Filesize
112KB

MD5
c873bd40adeab42b477853bb62acacf0

SHA1
286144bec4309fedd9276eb7dfde218eb39b87ef

SHA256
826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

SHA512
cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931

Download Submit
C:\Azxigc.exe

Filesize
112KB

MD5
c873bd40adeab42b477853bb62acacf0

SHA1
286144bec4309fedd9276eb7dfde218eb39b87ef

SHA256
826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

SHA512
cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931

Download Submit
C:\Windows\Terms.EXE

Filesize
112KB

MD5
c873bd40adeab42b477853bb62acacf0

SHA1
286144bec4309fedd9276eb7dfde218eb39b87ef

SHA256
826c1aec0b2b05f45c295569e7f2aa46eecf8e04ea1a302e0a7680b7290eab1d

SHA512
cf9e1846fc4e6cda20f14f93a4beb676a047e8081f81ac3d11b0ebaba05aa369832f03b2ba5a79e5855d3e8833687e148256353fc84b0bcc5b1b97724869f931

Download Submit
memory/1348-54-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download