Overview

overview

10

Static

static

10

8c859cc896...a0.exe

windows7-x64

7

8c859cc896...a0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c859cc8961ad4c823ee352b3cf2d64be9e3b2847a210a3c0ec36ed572acb3a0.exe

  • Size

    84KB

  • MD5

    16374bb2dc52687a42af71e845913edf

  • SHA1

    4d3d4575c500c87ae22f77fbc9d117bc2c3dd044

  • SHA256

    8c859cc8961ad4c823ee352b3cf2d64be9e3b2847a210a3c0ec36ed572acb3a0

  • SHA512

    1bbd40998d44fc1de54455a9acea839a35759cd68fa740c7de38f4490c7888352205a9fac7116175b61dae545719b7607144a5b3aba55da00803cce38bcd50e3

  • SSDEEP

    768:5I3vElriR9D+z7p8hwrZBJ/oD6kFXQMMSiaWUMK:50j4t8hwrOD6kFXQVSiaW9K

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c859cc8961ad4c823ee352b3cf2d64be9e3b2847a210a3c0ec36ed572acb3a0.exe
    "C:\Users\Admin\AppData\Local\Temp\8c859cc8961ad4c823ee352b3cf2d64be9e3b2847a210a3c0ec36ed572acb3a0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\add4.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1924
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dddd.vbs"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\add4.txt
    Filesize

    12KB

    MD5

    90d9c6ffacac645cd05206fd543c39e7

    SHA1

    66487ba953899ac0247ddf1c1a401cb3ae4afcad

    SHA256

    c017fa068c9029e761b001d47ced94fb897645f2808de2169179c4b78d1d1704

    SHA512

    165541f06fcb739966e6be0838f4ba3fd2fe4191da8ffa1b4abf099b610352917ee9232fdbf65835dd89e567310fd7703acf449456e4803cf460ed8ae2595242

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dddd.vbs
    Filesize

    49KB

    MD5

    2ddda6a9b659992544f453fbec38d3f5

    SHA1

    3f6f322cdb18ff00e8684284b335b54ea5fe8733

    SHA256

    64c2fb0dc0a942dcef51971b7313a1a6967f5f0dfbb689f3a2318a55e6c0c62a

    SHA512

    4331d81759594cb90633a636ffa5aeecee82d74401db4ec0d09dafde4abddf26d2e643d358960df98ca1d00d1ce68110a806feaab9523be3e5a0ca70074c2687

    Download Submit

  • memory/560-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1916-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1924-55-0x0000000000000000-mapping.dmp

    Download