fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001

Analysis

max time kernel
140s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001.exe
Size

2.6MB
MD5

46a0556d72c16f96a9d7a381169a7786
SHA1

8ad661cccac2b3f1adaa0504d81b7903b46c94c5
SHA256

fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001
SHA512

501f72dd61562fcd1c02cfbed3c296aebfe22c6f6ec2923a0d02740af325b8083a25d46e8126ffa376ff04ac24c7389bc490f2477117354203eeb3034bbab3f3
SSDEEP

49152:/6d+KkPZK1mPg66jSw6e8rmt2/PH9R91vEOIfk5promuwocsR7HJiKHLJIo9mWf:CdkM1s6uw6rznV1ws5ZGh97HJiKH1F

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4292	is-8BSNE.tmp

Loads dropped DLL 2 IoCs

pid	Process
4292	is-8BSNE.tmp
4292	is-8BSNE.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 4292	3632	fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001.exe	80
PID 3632 wrote to memory of 4292	3632	fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001.exe	80
PID 3632 wrote to memory of 4292	3632	fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001.exe	80

C:\Users\Admin\AppData\Local\Temp\fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001.exe
"C:\Users\Admin\AppData\Local\Temp\fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\is-9GITA.tmp\is-8BSNE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9GITA.tmp\is-8BSNE.tmp" /SL4 $30068 "C:\Users\Admin\AppData\Local\Temp\fb9efdb85349504838172be4636d71dfea4317fb0ddba5e2056d1ca1ad2d9001.exe" 2516912 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9GITA.tmp\is-8BSNE.tmp

Filesize
635KB

MD5
9bedee409be9e51fd694894e67cdb39e

SHA1
804838236ff5b6d285eb9d8548ecbaaf5882e65a

SHA256
544adccc3008713c4bd7c559456a2519db52b058d000b81b45a21b8835204d9f

SHA512
006aa404f2727ed2ad01d843bc7dd12f90b2b55d2379b9584e6d16b39ce3047019b3a7af795313d943b35965205526145dadfd9604bcc6885ad73e065403ac6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9GITA.tmp\is-8BSNE.tmp

Filesize
635KB

MD5
9bedee409be9e51fd694894e67cdb39e

SHA1
804838236ff5b6d285eb9d8548ecbaaf5882e65a

SHA256
544adccc3008713c4bd7c559456a2519db52b058d000b81b45a21b8835204d9f

SHA512
006aa404f2727ed2ad01d843bc7dd12f90b2b55d2379b9584e6d16b39ce3047019b3a7af795313d943b35965205526145dadfd9604bcc6885ad73e065403ac6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTSO3.tmp\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTSO3.tmp\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/3632-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3632-134-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3632-141-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4292-140-0x00000000024B1000-0x00000000024B3000-memory.dmp

Filesize
8KB

Download