e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963

Analysis

max time kernel
101s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 10:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963.exe
Size

301KB
MD5

39311432deee2e276a23c6ec5be07e28
SHA1

6ebed781e33456677e509cf156cd9f3a0076ad8d
SHA256

e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963
SHA512

33eddad203f1716e774d39d2521033c6cb658ffbb36746c1e6ce7e80a1c5e46900f01f34f71c7c0192cd291289fa082e07f2efa210dc78e22e724306aa3832a7
SSDEEP

6144:guIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqInw5:b6Wq4aaE6KwyF5L0Y2D1PqL1w5

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4948-132-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4948-134-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4948-134-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1120	4948	e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963.exe	81
PID 4948 wrote to memory of 1120	4948	e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963.exe	81
PID 4948 wrote to memory of 1120	4948	e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963.exe	81

C:\Users\Admin\AppData\Local\Temp\e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963.exe
"C:\Users\Admin\AppData\Local\Temp\e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963.exe
  "C:\Users\Admin\AppData\Local\Temp\e9c349d069cdc27111358d1c814bd7270335384063a4b69595a1512b829de963.exe"
  2⤵
  PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4948-132-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4948-134-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download