016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc

Analysis

max time kernel
249s
max time network
347s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe
Size

79KB
MD5

98681537c815ca60e1988361f560e4a0
SHA1

721b0b0b19f5010c13aecad1b1c8d1ea32caff32
SHA256

016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc
SHA512

f8f163c89ed089f8e087df3199aded5c3a784561cf1ded76ef2186652149aeaf8b5113e130fc28dda6ae36e9c855782bf26d3f0302f98f3f1987a97ee81e538b
SSDEEP

1536:6rVuwRHTfe5YzMk/ER2YbaWo2nByDORbT+U8exq:6rc75yS2Yb5o2wqn8ex

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
584	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1740	NOTEPAD.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
596	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe
596	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 976 wrote to memory of 596	976	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	27
PID 596 wrote to memory of 584	596	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	28
PID 596 wrote to memory of 584	596	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	28
PID 596 wrote to memory of 584	596	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	28
PID 596 wrote to memory of 584	596	016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe	28
PID 584 wrote to memory of 1740	584	svchost.exe	29
PID 584 wrote to memory of 1740	584	svchost.exe	29
PID 584 wrote to memory of 1740	584	svchost.exe	29
PID 584 wrote to memory of 1740	584	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe
"C:\Users\Admin\AppData\Local\Temp\016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe
  "C:\Users\Admin\AppData\Local\Temp\016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\016653e6a99f4c66840a29f614c90835b6109841f253022425d26a63004712fc.txt

Filesize
175B

MD5
6df96747865541d31b550ecb76b0f76b

SHA1
af9e3e882d554b5d75d9ce11d6bb56b14f647997

SHA256
f3821e4c5443af157b8a478eac4973fcfb13ad5d0f922135c516148fc426cee2

SHA512
37b0e539f61520766b5c599b1389ac13a050474324af05fd1fb2d20e14014e4fd57dc6478c6c3e73ffd10f5eb424128dd26d24e0745f5046573aa709a9dcebb4

Download Submit
memory/584-66-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/584-63-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/584-65-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/584-67-0x0000000000420000-0x00000000004A0000-memory.dmp

Filesize
512KB

Download
memory/584-71-0x0000000000420000-0x00000000004A0000-memory.dmp

Filesize
512KB

Download
memory/596-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/596-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/596-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/596-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/596-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download