be8e8f4846b6b166d049c45dba8a91323aac80bc6fb01889de7f99442a577e1a

Analysis

max time kernel
37s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.16929.9956.exe
Size

272KB
MD5

f2455fcb7954e649589e7406fd5acc97
SHA1

2532f710ed4ee7bae1be0f8726b4d599fda03973
SHA256

be8e8f4846b6b166d049c45dba8a91323aac80bc6fb01889de7f99442a577e1a
SHA512

b3ad6211317fa9159adb8a0a9a2486d091bc56bce288a0843005a90e761f4832d34b60ee28b5fd2c5b4bac5ac2962c144051de99f264bc4d2f6311bfb7711e5a
SSDEEP

6144:QBn1e3XWMCcAYtE3R0n0OZL/mS3SnBLOag9YMHLcxzcsc:goGaAYt4OrgO5Zcxzcsc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

eubkfbzr.exe

pid process

968 eubkfbzr.exe
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.16929.9956.exe

pid process

1672 SecuriteInfo.com.FileRepMalware.16929.9956.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
968	eubkfbzr.exe

pid	process
1672	SecuriteInfo.com.FileRepMalware.16929.9956.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.16929.9956.exe

description	pid	process	target process
PID 1672 wrote to memory of 968	1672	SecuriteInfo.com.FileRepMalware.16929.9956.exe	eubkfbzr.exe
PID 1672 wrote to memory of 968	1672	SecuriteInfo.com.FileRepMalware.16929.9956.exe	eubkfbzr.exe
PID 1672 wrote to memory of 968	1672	SecuriteInfo.com.FileRepMalware.16929.9956.exe	eubkfbzr.exe
PID 1672 wrote to memory of 968	1672	SecuriteInfo.com.FileRepMalware.16929.9956.exe	eubkfbzr.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.16929.9956.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.16929.9956.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe
"C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe" C:\Users\Admin\AppData\Local\Temp\qnhjmzefy.uas
2⤵
- Executes dropped EXE
PID:968

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eubkfbzr.exe
Filesize
122KB

MD5
36acfdb1046bd68aa0e6cc2ab4e4c3bd

SHA1
75a07369397553b78f46752b160893893188dd90

SHA256
06437c9f7a08d1d71708fc123595278f2f3f8bc28a1984ef0020fe982f767f99

SHA512
06c47082dde926e47f60acf806e273f875804a1a28bc9d4a4df050a83a93700d8234e2cc97c4e4b2327010885fa0e959d3646c8936f78a78ca27a7d023e025d6

Download Submit
\Users\Admin\AppData\Local\Temp\eubkfbzr.exe
Filesize
122KB

MD5
36acfdb1046bd68aa0e6cc2ab4e4c3bd

SHA1
75a07369397553b78f46752b160893893188dd90

SHA256
06437c9f7a08d1d71708fc123595278f2f3f8bc28a1984ef0020fe982f767f99

SHA512
06c47082dde926e47f60acf806e273f875804a1a28bc9d4a4df050a83a93700d8234e2cc97c4e4b2327010885fa0e959d3646c8936f78a78ca27a7d023e025d6

Download Submit
memory/968-56-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download