b0352074c6f0556acf2215aa41e485085b1c7561f645f1d314a570acd31ccc1b

Analysis

max time kernel
302s
max time network
372s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 11:47

Target

2014-12-22 #32/1c5f3bf4ddc6f255a71788deeb052435.exe
Size

187KB
MD5

1c5f3bf4ddc6f255a71788deeb052435
SHA1

4edbcc122517bbd8b3cbcfc736d7ccac9a6f94a3
SHA256

e010549bbe7901cde65a1f1c4d6b9e1d5075803c536f2c40f6a52ba30e268289
SHA512

185cf6566dd3682c5f07c269bbf56cb69e69a05b952beae43c3506d1f4a975cf5656ede14713ad97338ab798369ed919f0550a23e129f5898abb2e03596f223d
SSDEEP

3072:oDQkrZoosbIfXJ7GNW3Xf7+Os3s6OH7ej8MBzlnsMpUBfvNgWndV1lCkH3LS/og:oDpoeJGM/7tH6mej8uBfAHhb1lCICp

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

1c5f3bf4ddc6f255a71788deeb052435.exe

pid process

1268 1c5f3bf4ddc6f255a71788deeb052435.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1c5f3bf4ddc6f255a71788deeb052435.exe

description pid process target process

PID 1268 set thread context of 2544 1268 1c5f3bf4ddc6f255a71788deeb052435.exe 1c5f3bf4ddc6f255a71788deeb052435.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1268	1c5f3bf4ddc6f255a71788deeb052435.exe

description	pid	process	target process
PID 1268 set thread context of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1c5f3bf4ddc6f255a71788deeb052435.exe

description	pid	process	target process
PID 1268 wrote to memory of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe
PID 1268 wrote to memory of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe
PID 1268 wrote to memory of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe
PID 1268 wrote to memory of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe
PID 1268 wrote to memory of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe
PID 1268 wrote to memory of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe
PID 1268 wrote to memory of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe
PID 1268 wrote to memory of 2544	1268	1c5f3bf4ddc6f255a71788deeb052435.exe	1c5f3bf4ddc6f255a71788deeb052435.exe

C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\1c5f3bf4ddc6f255a71788deeb052435.exe
"C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\1c5f3bf4ddc6f255a71788deeb052435.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\1c5f3bf4ddc6f255a71788deeb052435.exe
  "C:\Users\Admin\AppData\Local\Temp\2014-12-22 #32\1c5f3bf4ddc6f255a71788deeb052435.exe"
  2⤵
  PID:2544

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nsuFF96.tmp\perm.dll

Filesize
21KB

MD5
7e9ec7c5fe48a59025c3330f587c887c

SHA1
cf5a0b3291c2ee28921d7494672d71a1bed4f3cb

SHA256
f1975b74a3fb8632406eadd9dcba631237d2f83c1b9e9b44029823322c1b53ab

SHA512
e4c63e22a87d75004babaa3f0e9a9c581e4a0037b636a827fd0dfb2559bf93324b89015526debb7b971d019a1444feaa550ca6765c5250bb1d312e42ba909ee3

Download Submit
memory/2544-133-0x0000000000000000-mapping.dmp

Download
memory/2544-134-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2544-136-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download