faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a.exe
Size

2.1MB
MD5

4edd660134e4ab4846bff796b5bc0776
SHA1

569f602d3915c564f9a243b1053aa3a4e8f5076c
SHA256

faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a
SHA512

e7a25717a85a8379180857a01584d9cea9eac3fe8f1237f82f6426aba5092c20b10ba748ffb754141bf8c08de1ab1d649c9ce6c68883971af5369072eef04a5e
SSDEEP

49152:q6dLJmsVgU/yP24coxiu5YqWa8krIATep/F84Vah4W0W6x:Bd8igd5cYiu5bd0AToWJhj01

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
964	is-EQO54.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 964	808	faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a.exe	79
PID 808 wrote to memory of 964	808	faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a.exe	79
PID 808 wrote to memory of 964	808	faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a.exe	79

C:\Users\Admin\AppData\Local\Temp\faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a.exe
"C:\Users\Admin\AppData\Local\Temp\faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\is-AAA13.tmp\is-EQO54.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AAA13.tmp\is-EQO54.tmp" /SL4 $13006C "C:\Users\Admin\AppData\Local\Temp\faefaad292c0996c60633e23eb83b6436cbe8a628160b4bfc94ebf9394c9ba1a.exe" 1901484 72704
  2⤵
  - Executes dropped EXE
  PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-AAA13.tmp\is-EQO54.tmp

Filesize
656KB

MD5
629862060f2aa8ee88037f1118581fab

SHA1
b824e97c574f147fbec496ac8aca1b2bd74d3d91

SHA256
e975b2e2f21a5877db1d731dc1564ac5850c3a96f9b1cc11cbce8dd22c16acd8

SHA512
7dce41507709ed620d11c4c28a3e7e87e4de3aaff856fa4636ef3d3f49dfa0e610a4c802cee98c2d31bac6f10077060e83df93e67cda87b5f480b588dee26a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AAA13.tmp\is-EQO54.tmp

Filesize
656KB

MD5
629862060f2aa8ee88037f1118581fab

SHA1
b824e97c574f147fbec496ac8aca1b2bd74d3d91

SHA256
e975b2e2f21a5877db1d731dc1564ac5850c3a96f9b1cc11cbce8dd22c16acd8

SHA512
7dce41507709ed620d11c4c28a3e7e87e4de3aaff856fa4636ef3d3f49dfa0e610a4c802cee98c2d31bac6f10077060e83df93e67cda87b5f480b588dee26a91

Download Submit
memory/808-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/808-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/808-138-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download