7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f

Analysis

max time kernel
152s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 23:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.exe
Size

3.1MB
MD5

dd95633aa17df1769dddf264d040c727
SHA1

8472e1044906735158338adb0b83053859828f15
SHA256

7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f
SHA512

d7991ae5ed81b528b26e69af81dce204da17ff19031ce196130753a5a9fcde770faba40892a6e06c76ab73f216fae066fcdb068085c1ff45b619a4812575439f
SSDEEP

98304:/AfbLA5wxEPASLkVmiJogPnNweHIBebSivZnk:/UkmIASQDJoEye2Ua

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
364	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp

Loads dropped DLL 2 IoCs

pid	Process
364	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp
364	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
364	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp
364	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp
364	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp
364	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 364	4384	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.exe	80
PID 4384 wrote to memory of 364	4384	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.exe	80
PID 4384 wrote to memory of 364	4384	7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.exe	80

C:\Users\Admin\AppData\Local\Temp\7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.exe
"C:\Users\Admin\AppData\Local\Temp\7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\is-E7DD8.tmp\7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E7DD8.tmp\7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp" /SL5="$30068,2529716,70144,C:\Users\Admin\AppData\Local\Temp\7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:364

Network

No results found

72.21.91.29:80

46 B
40 B
1
1
67.27.154.126:80

260 B
5
20.189.173.10:443

322 B
7
93.184.220.29:80

322 B
7
8.238.110.126:80

322 B
7
8.238.111.254:80

46 B
40 B
1
1

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0NHTU.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0NHTU.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E7DD8.tmp\7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E7DD8.tmp\7a8917b6874b2b784a65d3ea607e2aca4ec70759a0988df2447ab382f9d97a0f.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
memory/364-140-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/4384-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4384-137-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4384-141-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download