5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79

Analysis

max time kernel
39s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe
Size

1.6MB
MD5

cea8150c6576c02e33c82d63243d01ad
SHA1

ffa03b93910d1babe2bf5bfe4bdb6a8207f557e2
SHA256

5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79
SHA512

85f21a31ec95d2361fd88291209ace2823661978840f759b5066d888d2e5e0962876c81c009b86adae129a12d84949a3c9235f841bdbf2b0ba56953ebc55c80d
SSDEEP

49152:lwf0GoyZCnbZQQEjyzCGJeYuRwf0GoyZCnbZQQEjyzCGJeYu:ldyiaQEjyzCGJe9dyiaQEjyzCGJe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1840	1.exe
1284	2.exe
1340	mu3mp3.exe

Loads dropped DLL 5 IoCs

pid	Process
1840	1.exe
1840	1.exe
1840	1.exe
1840	1.exe
1840	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1840	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	28
PID 836 wrote to memory of 1840	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	28
PID 836 wrote to memory of 1840	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	28
PID 836 wrote to memory of 1840	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	28
PID 836 wrote to memory of 1840	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	28
PID 836 wrote to memory of 1840	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	28
PID 836 wrote to memory of 1840	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	28
PID 836 wrote to memory of 1284	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	29
PID 836 wrote to memory of 1284	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	29
PID 836 wrote to memory of 1284	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	29
PID 836 wrote to memory of 1284	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	29
PID 836 wrote to memory of 1284	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	29
PID 836 wrote to memory of 1284	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	29
PID 836 wrote to memory of 1284	836	5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe	29
PID 1840 wrote to memory of 1340	1840	1.exe	30
PID 1840 wrote to memory of 1340	1840	1.exe	30
PID 1840 wrote to memory of 1340	1840	1.exe	30
PID 1840 wrote to memory of 1340	1840	1.exe	30

C:\Users\Admin\AppData\Local\Temp\5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe
"C:\Users\Admin\AppData\Local\Temp\5c9c2c27aaf6208043fdaf898893094f62a12160c906f0456b39adbd178d5b79.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe"
    3⤵
    - Executes dropped EXE
    PID:1340
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
803KB

MD5
7f5662e95a76a6322035c977d60b4522

SHA1
e908a374531d0406cf105e13319b8c158ca313e3

SHA256
e8db2ee256413e4aa5e28e0c423ea740e61337c34cf04b97faad8373fd2984bf

SHA512
e3724318995a5d4f5357425f7ed5973a052e87388be1bccb18a3515f2f2db73d8303db57bba967893d7745e34550cb63544542a787a662ecb29a222b534c3109

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
803KB

MD5
7f5662e95a76a6322035c977d60b4522

SHA1
e908a374531d0406cf105e13319b8c158ca313e3

SHA256
e8db2ee256413e4aa5e28e0c423ea740e61337c34cf04b97faad8373fd2984bf

SHA512
e3724318995a5d4f5357425f7ed5973a052e87388be1bccb18a3515f2f2db73d8303db57bba967893d7745e34550cb63544542a787a662ecb29a222b534c3109

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
803KB

MD5
7f5662e95a76a6322035c977d60b4522

SHA1
e908a374531d0406cf105e13319b8c158ca313e3

SHA256
e8db2ee256413e4aa5e28e0c423ea740e61337c34cf04b97faad8373fd2984bf

SHA512
e3724318995a5d4f5357425f7ed5973a052e87388be1bccb18a3515f2f2db73d8303db57bba967893d7745e34550cb63544542a787a662ecb29a222b534c3109

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
803KB

MD5
7f5662e95a76a6322035c977d60b4522

SHA1
e908a374531d0406cf105e13319b8c158ca313e3

SHA256
e8db2ee256413e4aa5e28e0c423ea740e61337c34cf04b97faad8373fd2984bf

SHA512
e3724318995a5d4f5357425f7ed5973a052e87388be1bccb18a3515f2f2db73d8303db57bba967893d7745e34550cb63544542a787a662ecb29a222b534c3109

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fiche-identite-oeuvre.pdf

Filesize
7KB

MD5
988b2a07ae9d11d94dfde2425866c5b4

SHA1
53a7c3aafc268b2636341a7a7503191b791f0b73

SHA256
383fd78bf9d06cb56ddb361f45cf53a25e81e974f4153f2f6b07c59b89c8c0ea

SHA512
3340271202f8ec5729ea807b53c85707edfb87f89ff8200d9395cdf0069be5120a92fbd3042d4f81bc1de0020be50fc19c80efd4a3100baac014a1b96b26bb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mu3mp3.exe

Filesize
760KB

MD5
4d1d5659b867fab1ff1d07f4177857e5

SHA1
b5e6759c49ecdc2b788d86b917ab0b59dd9c4a1f

SHA256
5bfe77cb3f023c7a8e77a5cfb7571131552f443dab345d4c5fafe0c369b0d10f

SHA512
f032d510e6ad327bf45dedb10e6b6023c9a2911112e8eb95b9c6b45e424ca7e9b86791edd1b83f544995cd7eee729d8c1a9bee8a743c70cebc8e12b9e644707b

Download Submit
memory/836-54-0x000007FEF37D0000-0x000007FEF41F3000-memory.dmp

Filesize
10.1MB

Download
memory/836-55-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1340-73-0x000007FEF2E30000-0x000007FEF3853000-memory.dmp

Filesize
10.1MB

Download
memory/1840-58-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download