0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e

Analysis

max time kernel
106s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 18:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe
Size

30KB
MD5

afc2d30a50cdc6c710e92aac09daf1eb
SHA1

6d5283fda926e5c0b9477ee7665eaf0b74fc9c09
SHA256

0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e
SHA512

3c82e5dbb073ef7481f0b1ce5966661f8a7c8538e7d38be3c9505edc41fce3ad34ed30c9f29ff26c480d2b87c06c90d0e57dde9ff5ab3b4a673c643842893cd3
SSDEEP

384:Rx/s1q0xbI/nDTcmBH0FZcX7ckfwhNaBU5pArO1tFZIcqej9I1rj:Rx/s1qw+nDTjBH0jcXIAkE4mO1t70Pr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1500	stub.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\stub.exe	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1352	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1324	1352	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe	28
PID 1352 wrote to memory of 1324	1352	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe	28
PID 1352 wrote to memory of 1324	1352	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe	28
PID 1352 wrote to memory of 1324	1352	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe	28
PID 1352 wrote to memory of 1324	1352	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe	28
PID 1352 wrote to memory of 1324	1352	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe	28
PID 1352 wrote to memory of 1324	1352	0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe	28
PID 1324 wrote to memory of 1500	1324	rundll32.exe	29
PID 1324 wrote to memory of 1500	1324	rundll32.exe	29
PID 1324 wrote to memory of 1500	1324	rundll32.exe	29
PID 1324 wrote to memory of 1500	1324	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe
"C:\Users\Admin\AppData\Local\Temp\0882182756180e269b4b4fbe9d6a9a76294fe82c4d78a2356c8ceea6c6d5325e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe url.dll,FileProtocolHandler C:\Windows\stub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\stub.exe
    "C:\Windows\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\stub.exe

Filesize
18KB

MD5
82b52cd57a1e4dc8f1629161d54aab7f

SHA1
a1a935e7e161bf0ed7bc2adbfcd4ef1620fe3c7d

SHA256
47db1bdf0cfa449fd5428f3e0ad9f9b5e4fca81791f2c2fc931be17ded9b07b6

SHA512
e796471f40270990debbb417c72b85e057b5a225fcb92cafd8d046f733e89c989a32f8a9e0328e193bae66488ddd3af819e3ee2ebdf0425ac1d6114516826523

Download Submit
C:\Windows\stub.exe

Filesize
18KB

MD5
82b52cd57a1e4dc8f1629161d54aab7f

SHA1
a1a935e7e161bf0ed7bc2adbfcd4ef1620fe3c7d

SHA256
47db1bdf0cfa449fd5428f3e0ad9f9b5e4fca81791f2c2fc931be17ded9b07b6

SHA512
e796471f40270990debbb417c72b85e057b5a225fcb92cafd8d046f733e89c989a32f8a9e0328e193bae66488ddd3af819e3ee2ebdf0425ac1d6114516826523

Download Submit
memory/1324-58-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1352-54-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1352-62-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1352-63-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download