029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-571-GLS.exe
Size

268KB
MD5

6cc14805bbf5e6bfb4daae5c8a61af7e
SHA1

34836f2aa6a4e97705352a50d2a7147c857fea94
SHA256

029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b
SHA512

5f1bb5a77d471e49e15ff414b24ac89858e5458884f8f672a92376434dd9363e6d80146d6448b4ee0233c70531f58c4c7d431d9f873e6d1a2fdacf680479b2c6
SSDEEP

6144:QBn14u11x6y/QH2tw81qVegiZU/S4RaXFKia7ZiOfu:g4uRX4WvqMgiZgSXFKhZiO2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

jsqqecy.exe

pid process

1272 jsqqecy.exe
Loads dropped DLL 1 IoCs

Processes:

2022-571-GLS.exe

pid process

1632 2022-571-GLS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1272	jsqqecy.exe

pid	process
1632	2022-571-GLS.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2022-571-GLS.exe

description	pid	process	target process
PID 1632 wrote to memory of 1272	1632	2022-571-GLS.exe	jsqqecy.exe
PID 1632 wrote to memory of 1272	1632	2022-571-GLS.exe	jsqqecy.exe
PID 1632 wrote to memory of 1272	1632	2022-571-GLS.exe	jsqqecy.exe
PID 1632 wrote to memory of 1272	1632	2022-571-GLS.exe	jsqqecy.exe

C:\Users\Admin\AppData\Local\Temp\2022-571-GLS.exe
"C:\Users\Admin\AppData\Local\Temp\2022-571-GLS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe
"C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe" C:\Users\Admin\AppData\Local\Temp\xduyswx.up
2⤵
- Executes dropped EXE
PID:1272

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe
Filesize
144KB

MD5
07875284ce0a6276f406b25f9e429270

SHA1
38a67882404fe8cd7473c8b1949a0b5384b36f94

SHA256
aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e

SHA512
5db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1

Download Submit
\Users\Admin\AppData\Local\Temp\jsqqecy.exe
Filesize
144KB

MD5
07875284ce0a6276f406b25f9e429270

SHA1
38a67882404fe8cd7473c8b1949a0b5384b36f94

SHA256
aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e

SHA512
5db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1

Download Submit
memory/1272-56-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download