db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c

Analysis

max time kernel
179s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 04:06

Target

db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c.exe
Size

1.7MB
MD5

31cfe1471edd6c3dda080ecc6a540557
SHA1

5097b2f3d7742d4654b6ea40e254ab94346bb472
SHA256

db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c
SHA512

e08ab254d31299e680770bb09d536bba01e50818e3c838d537105ba0ad00a7cf2cd3d462cb958add044b440bb79aa3e12edc10dfc57e713791f6e8b4b1561af8
SSDEEP

49152:B6diwOan5CuGPUkfgDNJ5RjPGuflnmrv794zl:kdic4USgBJDGMorDG

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

is-SKDL3.tmp

pid process

4364 is-SKDL3.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4364	is-SKDL3.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c.exe

description	pid	process	target process
PID 2700 wrote to memory of 4364	2700	db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c.exe	is-SKDL3.tmp
PID 2700 wrote to memory of 4364	2700	db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c.exe	is-SKDL3.tmp
PID 2700 wrote to memory of 4364	2700	db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c.exe	is-SKDL3.tmp

C:\Users\Admin\AppData\Local\Temp\db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c.exe
"C:\Users\Admin\AppData\Local\Temp\db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\is-MHO06.tmp\is-SKDL3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MHO06.tmp\is-SKDL3.tmp" /SL4 $1A0022 "C:\Users\Admin\AppData\Local\Temp\db37403bc5bdfe1ca257d607f4e67b8226c0193671f6ef37e2cfe93516eaf48c.exe" 1520567 72704
2⤵
- Executes dropped EXE
PID:4364

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\is-MHO06.tmp\is-SKDL3.tmp
Filesize
656KB

MD5
e9f9fc2b5ca4d66d2e0d8958e6e1fff5

SHA1
473730f6a63abe99eafb278d2d178ed79ae3ac10

SHA256
73deec1971561033c817697a86b2df5bdd533290f42dbbc6b472697d5120469f

SHA512
a9a0deb4e83fc1878d9e9d468253b641b9b4892f2fe47c19a4b09f9ff4a79fe8982d31a4cec416ff4b24fe84ff31fb60222e45b13bf7d5975a9f024cc19b146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MHO06.tmp\is-SKDL3.tmp
Filesize
656KB

MD5
e9f9fc2b5ca4d66d2e0d8958e6e1fff5

SHA1
473730f6a63abe99eafb278d2d178ed79ae3ac10

SHA256
73deec1971561033c817697a86b2df5bdd533290f42dbbc6b472697d5120469f

SHA512
a9a0deb4e83fc1878d9e9d468253b641b9b4892f2fe47c19a4b09f9ff4a79fe8982d31a4cec416ff4b24fe84ff31fb60222e45b13bf7d5975a9f024cc19b146c

Download Submit
memory/2700-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2700-137-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4364-134-0x0000000000000000-mapping.dmp

Download