b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f

Analysis

max time kernel
96s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe
Size

626KB
MD5

c2b63c4fc8e3e0e71fa36584b4765792
SHA1

246ad04759f060f7ccb2d10cb7f83c158f77994d
SHA256

b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f
SHA512

b0a58907f1cb906868cf450122f737f2efaf9f53fd3c26bc9dafbf098dd43158e7a33ff6bf6f2a0646257c1fd6b4b90c2a200494b63cb35f9073e9279d26aad8
SSDEEP

12288:s1dlZo5yqWHB5s/OBJQdCyiHRkCAmQ3w5hncFK9wTuLnFcvKvV:s1dlZo5dYEScziHRR0w5hcrGKCvV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Tempserver.exe16599.exe16599.exe

pid process

908 Tempserver.exe
360 16599.exe
1352 16599.exe
Loads dropped DLL 6 IoCs

Processes:

Tempserver.exe16599.exe16599.exe

pid process

908 Tempserver.exe
908 Tempserver.exe
360 16599.exe
908 Tempserver.exe
908 Tempserver.exe
1352 16599.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
908	Tempserver.exe
360	16599.exe
1352	16599.exe

pid	process
908	Tempserver.exe
908	Tempserver.exe
360	16599.exe
908	Tempserver.exe
908	Tempserver.exe
1352	16599.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exeTempserver.exe

description	pid	process	target process
PID 1340 wrote to memory of 908	1340	b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe	Tempserver.exe
PID 1340 wrote to memory of 908	1340	b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe	Tempserver.exe
PID 1340 wrote to memory of 908	1340	b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe	Tempserver.exe
PID 1340 wrote to memory of 908	1340	b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe	Tempserver.exe
PID 908 wrote to memory of 360	908	Tempserver.exe	16599.exe
PID 908 wrote to memory of 360	908	Tempserver.exe	16599.exe
PID 908 wrote to memory of 360	908	Tempserver.exe	16599.exe
PID 908 wrote to memory of 360	908	Tempserver.exe	16599.exe
PID 908 wrote to memory of 1352	908	Tempserver.exe	16599.exe
PID 908 wrote to memory of 1352	908	Tempserver.exe	16599.exe
PID 908 wrote to memory of 1352	908	Tempserver.exe	16599.exe
PID 908 wrote to memory of 1352	908	Tempserver.exe	16599.exe

C:\Users\Admin\AppData\Local\Temp\b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe
"C:\Users\Admin\AppData\Local\Temp\b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Tempserver.exe
"C:\Users\Admin\AppData\Local\Tempserver.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\16599.exe
"C:\Users\Admin\AppData\Local\Temp\16599.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:360

C:\Users\Admin\AppData\Local\Temp\16599.exe
"C:\Users\Admin\AppData\Local\Temp\16599.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVMRuntm.dll
Filesize
648KB

MD5
df7899da64e219626e9b2ff28be28784

SHA1
95b1b9a6d5db717bfa4420d22005616295aa49bf

SHA256
3b3fe76659d9b267048da04ac454bc54dfe7bc1ce24b5ab8e06046981ecf102d

SHA512
1447aacb81429a392476cb4914779ccc3accd6af04b11972362e786c2032228a7097f538e206e99afb43cb6a2632c4e11f676bc39cdb9fec8bc1dd127a84ebd6

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
599KB

MD5
8004a7d57f1f8ffdc167a0129286a7de

SHA1
0e6966d75b0abcff24a32072defcfb261654ff17

SHA256
ea0f041f0df2a22513318c95deeb48c87e648ac351ddd834d91550e09e55afa1

SHA512
91f9528f78af7fda8b37cd6fd305bfd2f7b6a85bc1ea7c6da5a2af26f800d0da96521f41301c040ddfad7ef0fc6097236d7f6bef860d320a40c7ba69aac8fcfd

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
599KB

MD5
8004a7d57f1f8ffdc167a0129286a7de

SHA1
0e6966d75b0abcff24a32072defcfb261654ff17

SHA256
ea0f041f0df2a22513318c95deeb48c87e648ac351ddd834d91550e09e55afa1

SHA512
91f9528f78af7fda8b37cd6fd305bfd2f7b6a85bc1ea7c6da5a2af26f800d0da96521f41301c040ddfad7ef0fc6097236d7f6bef860d320a40c7ba69aac8fcfd

Download Submit
\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
\Users\Admin\AppData\Local\Temp\HVMRuntm.dll
Filesize
648KB

MD5
df7899da64e219626e9b2ff28be28784

SHA1
95b1b9a6d5db717bfa4420d22005616295aa49bf

SHA256
3b3fe76659d9b267048da04ac454bc54dfe7bc1ce24b5ab8e06046981ecf102d

SHA512
1447aacb81429a392476cb4914779ccc3accd6af04b11972362e786c2032228a7097f538e206e99afb43cb6a2632c4e11f676bc39cdb9fec8bc1dd127a84ebd6

Download Submit
\Users\Admin\AppData\Local\Temp\HVMRuntm.dll
Filesize
648KB

MD5
df7899da64e219626e9b2ff28be28784

SHA1
95b1b9a6d5db717bfa4420d22005616295aa49bf

SHA256
3b3fe76659d9b267048da04ac454bc54dfe7bc1ce24b5ab8e06046981ecf102d

SHA512
1447aacb81429a392476cb4914779ccc3accd6af04b11972362e786c2032228a7097f538e206e99afb43cb6a2632c4e11f676bc39cdb9fec8bc1dd127a84ebd6

Download Submit
memory/360-64-0x0000000000000000-mapping.dmp

Download
memory/360-69-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/360-72-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/908-59-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x0000000000000000-mapping.dmp

Download
memory/1340-58-0x0000000000A86000-0x0000000000AA5000-memory.dmp

Filesize
124KB

Download
memory/1340-54-0x000007FEF36C0000-0x000007FEF40E3000-memory.dmp

Filesize
10.1MB

Download
memory/1340-61-0x0000000000A86000-0x0000000000AA5000-memory.dmp

Filesize
124KB

Download
memory/1340-55-0x000007FEF2620000-0x000007FEF36B6000-memory.dmp

Filesize
16.6MB

Download
memory/1352-75-0x0000000000000000-mapping.dmp

Download
memory/1352-81-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-80-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download