9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe
Size

1.8MB
MD5

b21c0b54ec2941a4592c57e2f788b0b4
SHA1

73b2298aa6e9a04ff226aa0e9a83b4836b060e6e
SHA256

9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a
SHA512

94667ff28f10776d2f95e73ffa70fa33c4e8db02005e8dbf42898a39bc739c169aac53ab7f26785613811beebc392df0b6527d9275b985e343b0059e8e8dca91
SSDEEP

49152:EgOC1tGFXdbhljDasY6DwOBfrnvV7UeWt2bExrl5VeQt:kC1tCd9YiwOBpIeW9rlXe2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
440	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe
File created	C:\Windows\assembly\Desktop.ini	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	440	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
440	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe
440	9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe

C:\Users\Admin\AppData\Local\Temp\9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe
"C:\Users\Admin\AppData\Local\Temp\9e24dd64c2484ad401e910c3c111f27475a62525c638603c08e54f4f02780a6a.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45ob2d5p.avl\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
memory/440-132-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/440-134-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download