0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
Size

6.4MB
MD5

4e818908bb2c826de0ed646c0c2aef92
SHA1

7f26da24b93f5e25ebbfa01eb94b0daf744dd394
SHA256

0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2
SHA512

5a499b9dd3b814cef468c16956e2a491561861c4dfc48138282a70087e5d7a889a9846b2a2eb49196c57c4a28818f445642f76fc7d6d5d077a924f1c0a248212
SSDEEP

196608:hmCuV01GBI3J9/64s/w2VuFB7qcrFePLs9P5Z4:hMMP59/64tHRePsP5Z4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1640	eREsZCFa62kjBLrh.exe
1352	IDM1.tmp

Loads dropped DLL 2 IoCs

pid	Process
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1640	eREsZCFa62kjBLrh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1640	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	27
PID 1104 wrote to memory of 1640	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	27
PID 1104 wrote to memory of 1640	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	27
PID 1104 wrote to memory of 1640	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	27
PID 1104 wrote to memory of 1640	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	27
PID 1104 wrote to memory of 1640	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	27
PID 1104 wrote to memory of 1640	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	27
PID 1104 wrote to memory of 1088	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	34
PID 1104 wrote to memory of 1088	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	34
PID 1104 wrote to memory of 1088	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	34
PID 1104 wrote to memory of 1088	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	34
PID 1104 wrote to memory of 1088	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	34
PID 1104 wrote to memory of 1088	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	34
PID 1104 wrote to memory of 1088	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	34
PID 1104 wrote to memory of 552	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	28
PID 1104 wrote to memory of 552	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	28
PID 1104 wrote to memory of 552	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	28
PID 1104 wrote to memory of 552	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	28
PID 1104 wrote to memory of 552	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	28
PID 1104 wrote to memory of 552	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	28
PID 1104 wrote to memory of 552	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	28
PID 1104 wrote to memory of 1492	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	33
PID 1104 wrote to memory of 1492	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	33
PID 1104 wrote to memory of 1492	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	33
PID 1104 wrote to memory of 1492	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	33
PID 1104 wrote to memory of 1492	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	33
PID 1104 wrote to memory of 1492	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	33
PID 1104 wrote to memory of 1492	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	33
PID 1104 wrote to memory of 268	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	32
PID 1104 wrote to memory of 268	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	32
PID 1104 wrote to memory of 268	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	32
PID 1104 wrote to memory of 268	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	32
PID 1104 wrote to memory of 268	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	32
PID 1104 wrote to memory of 268	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	32
PID 1104 wrote to memory of 268	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	32
PID 1104 wrote to memory of 716	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	29
PID 1104 wrote to memory of 716	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	29
PID 1104 wrote to memory of 716	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	29
PID 1104 wrote to memory of 716	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	29
PID 1104 wrote to memory of 716	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	29
PID 1104 wrote to memory of 716	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	29
PID 1104 wrote to memory of 716	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	29
PID 1104 wrote to memory of 1444	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	30
PID 1104 wrote to memory of 1444	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	30
PID 1104 wrote to memory of 1444	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	30
PID 1104 wrote to memory of 1444	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	30
PID 1104 wrote to memory of 1444	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	30
PID 1104 wrote to memory of 1444	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	30
PID 1104 wrote to memory of 1444	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	30
PID 1104 wrote to memory of 676	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	31
PID 1104 wrote to memory of 676	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	31
PID 1104 wrote to memory of 676	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	31
PID 1104 wrote to memory of 676	1104	0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe	31
PID 1640 wrote to memory of 1352	1640	eREsZCFa62kjBLrh.exe	35
PID 1640 wrote to memory of 1352	1640	eREsZCFa62kjBLrh.exe	35
PID 1640 wrote to memory of 1352	1640	eREsZCFa62kjBLrh.exe	35
PID 1640 wrote to memory of 1352	1640	eREsZCFa62kjBLrh.exe	35
PID 1640 wrote to memory of 1352	1640	eREsZCFa62kjBLrh.exe	35
PID 1640 wrote to memory of 1352	1640	eREsZCFa62kjBLrh.exe	35
PID 1640 wrote to memory of 1352	1640	eREsZCFa62kjBLrh.exe	35

C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
"C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\eREsZCFa62kjBLrh.exe
  "C:\Users\Admin\AppData\Local\Temp\eREsZCFa62kjBLrh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
    "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
    3⤵
    - Executes dropped EXE
    PID:1352
- C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
  "C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe"
  2⤵
  PID:552
- C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
  "C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe"
  2⤵
  PID:716
- C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
  "C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe"
  2⤵
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 924
  2⤵
  PID:676
- C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
  "C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
  "C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe"
  2⤵
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe
  "C:\Users\Admin\AppData\Local\Temp\0006c411fb8cebfb82ef3a13d66e00c82208d28b2e713ee3d67b6bc6aa1a2cb2.exe"
  2⤵
  PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
175KB

MD5
7b23613e34913818a64a92f3ee63632f

SHA1
fe420d380de28e52805c128c6f9d3ee5ea3aba7e

SHA256
9ff162920ed4f1703506ae1159df104be2d9cd88d2056bddb611ff0f7b4bcaa5

SHA512
2c6398d7a2ed5c0eab0a4838ca848a21f0fa3b9ebd8aa8c76423952ea661e6f7a5b5cd86791df76f3f3d97a5443e76657e1ec6e43536d001ff8ec394cc1ef9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eREsZCFa62kjBLrh.exe

Filesize
5.9MB

MD5
29fa6c43fa031cdbc85b0f34ffef0b2a

SHA1
6772cc97034b11d418ebfc62f79062e359816ef7

SHA256
7335d2083a9b33560d140e4fa98fb181802387ebef09ab812a4a2d0603ce686a

SHA512
5cfb9a6cc91adec7c8bb6070ac001b0cca07c94a5d49cc97d121fc706cd1a1bc07e0359bc09ec3a96d600be31f5448b1fa9d557e41f3e3a7913917a0c86107c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eREsZCFa62kjBLrh.exe

Filesize
5.9MB

MD5
29fa6c43fa031cdbc85b0f34ffef0b2a

SHA1
6772cc97034b11d418ebfc62f79062e359816ef7

SHA256
7335d2083a9b33560d140e4fa98fb181802387ebef09ab812a4a2d0603ce686a

SHA512
5cfb9a6cc91adec7c8bb6070ac001b0cca07c94a5d49cc97d121fc706cd1a1bc07e0359bc09ec3a96d600be31f5448b1fa9d557e41f3e3a7913917a0c86107c8

Download Submit
\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
175KB

MD5
7b23613e34913818a64a92f3ee63632f

SHA1
fe420d380de28e52805c128c6f9d3ee5ea3aba7e

SHA256
9ff162920ed4f1703506ae1159df104be2d9cd88d2056bddb611ff0f7b4bcaa5

SHA512
2c6398d7a2ed5c0eab0a4838ca848a21f0fa3b9ebd8aa8c76423952ea661e6f7a5b5cd86791df76f3f3d97a5443e76657e1ec6e43536d001ff8ec394cc1ef9b5

Download Submit
\Users\Admin\AppData\Local\Temp\eREsZCFa62kjBLrh.exe

Filesize
5.9MB

MD5
29fa6c43fa031cdbc85b0f34ffef0b2a

SHA1
6772cc97034b11d418ebfc62f79062e359816ef7

SHA256
7335d2083a9b33560d140e4fa98fb181802387ebef09ab812a4a2d0603ce686a

SHA512
5cfb9a6cc91adec7c8bb6070ac001b0cca07c94a5d49cc97d121fc706cd1a1bc07e0359bc09ec3a96d600be31f5448b1fa9d557e41f3e3a7913917a0c86107c8

Download Submit
memory/1104-63-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

Filesize
36KB

Download
memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1104-55-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-71-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1640-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1640-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download