2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f

Analysis

max time kernel
188s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe
Size

338KB
MD5

2b5b0932b4ade5f527e708ab706c93be
SHA1

0a751cd77a783016d3435642d3ac5f4216430df0
SHA256

2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f
SHA512

0837eba9ed38420137d35e5979b2a576036919cad6583a67ebe46590359ed21282ab666ee7769387d1ee66549845c796c74d60dc8d0006385f491e497980a5b6
SSDEEP

6144:6lZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76l2PIDNogwM1:6HLUMuiv9RgfSjAzRty5CgwM1

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
508	server.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1736-132-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/1736-136-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1736-136-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4688	508	WerFault.exe	79

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 508	1736	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe	79
PID 1736 wrote to memory of 508	1736	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe	79
PID 1736 wrote to memory of 508	1736	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe	79

C:\Users\Admin\AppData\Local\Temp\2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe
"C:\Users\Admin\AppData\Local\Temp\2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp/server.exe
  2⤵
  - Executes dropped EXE
  PID:508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 316
    3⤵
    - Program crash
    PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 508 -ip 508
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
memory/1736-132-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1736-136-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download