ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe

Analysis

max time kernel
148s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe.exe
Size

2.8MB
MD5

a23e718d12aa4e15fe5a41ce08a22388
SHA1

90417a4367e8b684ae85f64693efbd5246645fda
SHA256

ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe
SHA512

8cb7c7139b49c5e250bea5a04fe8c45136f676e3c742b877a00e831fb34c972b0e0621816b512f7c0a5cbcf5d01d0187ee5ef0b9fbc01c28044f0becbe39f5c1
SSDEEP

49152:vEOlMN41JsJxx0dAnWfZzqBwjkaG6aPscmlqR4ecDniNPFyHTU32pC4ZK:Pl1YfxZVBw5G6jc8qC8tkzUGpC4ZK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2424	is-0ICV2.tmp

Loads dropped DLL 2 IoCs

pid	Process
2424	is-0ICV2.tmp
2424	is-0ICV2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2424	2728	ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe.exe	78
PID 2728 wrote to memory of 2424	2728	ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe.exe	78
PID 2728 wrote to memory of 2424	2728	ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe.exe	78

C:\Users\Admin\AppData\Local\Temp\ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe.exe
"C:\Users\Admin\AppData\Local\Temp\ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\is-F3KUN.tmp\is-0ICV2.tmp
  C:\Users\Admin\AppData\Local\Temp\is-F3KUN.tmp\is-0ICV2.tmp /SL4 $B0052 C:\Users\Admin\AppData\Local\Temp\ff823dba2153c2c600381b28efaa3dc3ebaf55d0ddedd89ec874f1b3d6937afe.exe 2967040 68096
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-D2RN8.tmp\_isbunzp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D2RN8.tmp\_isbunzp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F3KUN.tmp\is-0ICV2.tmp

Filesize
542KB

MD5
7f89ee4b959ddc9eb34d3db7196c9537

SHA1
d8f8939a39dd4294c04532fc730398b51434f9c9

SHA256
a6e5c93270dc4826d66d00ef5729b0ecfe43fa9250f861f464a071d3915ceb05

SHA512
0f40ea85a7a1add8966fa8e6a20420569626107c65667d8bdd7e497c9e437e861fbc468d9405e048e843fe255bc104b2dbceb6cfcdb0767e306f93b17c8d3141

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F3KUN.tmp\is-0ICV2.tmp

Filesize
542KB

MD5
7f89ee4b959ddc9eb34d3db7196c9537

SHA1
d8f8939a39dd4294c04532fc730398b51434f9c9

SHA256
a6e5c93270dc4826d66d00ef5729b0ecfe43fa9250f861f464a071d3915ceb05

SHA512
0f40ea85a7a1add8966fa8e6a20420569626107c65667d8bdd7e497c9e437e861fbc468d9405e048e843fe255bc104b2dbceb6cfcdb0767e306f93b17c8d3141

Download Submit
memory/2424-140-0x0000000002471000-0x0000000002475000-memory.dmp

Filesize
16KB

Download
memory/2728-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2728-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2728-141-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download