Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 12:15
Static task
static1
Behavioral task
behavioral1
Sample
2022-571-GLS.exe
Resource
win7-20220901-en
General
-
Target
2022-571-GLS.exe
-
Size
268KB
-
MD5
6cc14805bbf5e6bfb4daae5c8a61af7e
-
SHA1
34836f2aa6a4e97705352a50d2a7147c857fea94
-
SHA256
029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b
-
SHA512
5f1bb5a77d471e49e15ff414b24ac89858e5458884f8f672a92376434dd9363e6d80146d6448b4ee0233c70531f58c4c7d431d9f873e6d1a2fdacf680479b2c6
-
SSDEEP
6144:QBn14u11x6y/QH2tw81qVegiZU/S4RaXFKia7ZiOfu:g4uRX4WvqMgiZgSXFKhZiO2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jsqqecy.exepid process 1272 jsqqecy.exe -
Loads dropped DLL 1 IoCs
Processes:
2022-571-GLS.exepid process 1632 2022-571-GLS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2022-571-GLS.exedescription pid process target process PID 1632 wrote to memory of 1272 1632 2022-571-GLS.exe jsqqecy.exe PID 1632 wrote to memory of 1272 1632 2022-571-GLS.exe jsqqecy.exe PID 1632 wrote to memory of 1272 1632 2022-571-GLS.exe jsqqecy.exe PID 1632 wrote to memory of 1272 1632 2022-571-GLS.exe jsqqecy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2022-571-GLS.exe"C:\Users\Admin\AppData\Local\Temp\2022-571-GLS.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe"C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe" C:\Users\Admin\AppData\Local\Temp\xduyswx.up2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exeFilesize
144KB
MD507875284ce0a6276f406b25f9e429270
SHA138a67882404fe8cd7473c8b1949a0b5384b36f94
SHA256aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e
SHA5125db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1
-
\Users\Admin\AppData\Local\Temp\jsqqecy.exeFilesize
144KB
MD507875284ce0a6276f406b25f9e429270
SHA138a67882404fe8cd7473c8b1949a0b5384b36f94
SHA256aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e
SHA5125db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1
-
memory/1272-56-0x0000000000000000-mapping.dmp
-
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB