Analysis
-
max time kernel
186s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 14:45
Static task
static1
Behavioral task
behavioral1
Sample
3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe
Resource
win10v2004-20221111-en
General
-
Target
3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe
-
Size
82KB
-
MD5
ede518e477765a20a6e0aaaee3040c88
-
SHA1
786f17d5708896423468ac149b1a693ccadd7009
-
SHA256
3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157
-
SHA512
6e2b0f905a8c454899014d938485898664e00546449bee6194aa443176d7585b47db02aa658bccae06ea4ff8f97b84777158b0ff2edee984a22b42beb0705106
-
SSDEEP
1536:VwJOoN1oYaoZ5iV685XJPCmXrX9W3a36LWYSwrlcu3XeoAgGTnMszVqZQ9lr:VwJ52Y7ZoH5XJambtWqqLWYhqoA9Tn7Z
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exepid process 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exedescription pid process target process PID 1432 set thread context of 4012 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exedescription pid process target process PID 1432 wrote to memory of 4012 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe PID 1432 wrote to memory of 4012 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe PID 1432 wrote to memory of 4012 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe PID 1432 wrote to memory of 4012 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe PID 1432 wrote to memory of 4012 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe PID 1432 wrote to memory of 4012 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe PID 1432 wrote to memory of 4012 1432 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe 3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe"C:\Users\Admin\AppData\Local\Temp\3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe"C:\Users\Admin\AppData\Local\Temp\3bf70c8247290ae1962330eaabadcb09762378301b45709faf063c2151183157.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsc1CB1.tmp\coon.dllFilesize
66KB
MD5d1fab492d5c805bdc293b108896b8967
SHA1840ca14c9173c5ea7e42556cc6567fd76dfdec19
SHA25676a4321aaa9816f4725bd69711bcba322cc1bae6a703d5f916cf2431a1696b0e
SHA5122169a6105a013f76e8588a34a7a1536e0cfa22268dd0f63105ee8782b1b45a215e5c2c3d0847f70e368a864660c35bfd526247f64c3b9871e3fc608e139c5a66
-
C:\Users\Admin\AppData\Local\Temp\nsc1CB1.tmp\coon.dllFilesize
66KB
MD5d1fab492d5c805bdc293b108896b8967
SHA1840ca14c9173c5ea7e42556cc6567fd76dfdec19
SHA25676a4321aaa9816f4725bd69711bcba322cc1bae6a703d5f916cf2431a1696b0e
SHA5122169a6105a013f76e8588a34a7a1536e0cfa22268dd0f63105ee8782b1b45a215e5c2c3d0847f70e368a864660c35bfd526247f64c3b9871e3fc608e139c5a66
-
memory/1432-134-0x0000000002270000-0x0000000002289000-memory.dmpFilesize
100KB
-
memory/4012-135-0x0000000000000000-mapping.dmp
-
memory/4012-136-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB