40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5bea76ffac05afbe19274595801184e.exe
Size

278KB
MD5

f5bea76ffac05afbe19274595801184e
SHA1

93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
SHA256

40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
SHA512

3e1537258907bc3707c5cd0a54b4b5d35516e1ccb2443dfcfb493ecd931a734acf85bf2fb9aede36893b7dd12ee71baac7df48506117aee972bdab68e6a08ab3
SSDEEP

6144:QBn1RomeugRHbNAtHRgt/GVl9tSvOBFRQecwcwHa:gavFRy5Ot/OceFRbfHa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

febcldoukq.exe

pid process

804 febcldoukq.exe
Loads dropped DLL 1 IoCs

Processes:

f5bea76ffac05afbe19274595801184e.exe

pid process

1280 f5bea76ffac05afbe19274595801184e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
804	febcldoukq.exe

pid	process
1280	f5bea76ffac05afbe19274595801184e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f5bea76ffac05afbe19274595801184e.exe

description	pid	process	target process
PID 1280 wrote to memory of 804	1280	f5bea76ffac05afbe19274595801184e.exe	febcldoukq.exe
PID 1280 wrote to memory of 804	1280	f5bea76ffac05afbe19274595801184e.exe	febcldoukq.exe
PID 1280 wrote to memory of 804	1280	f5bea76ffac05afbe19274595801184e.exe	febcldoukq.exe
PID 1280 wrote to memory of 804	1280	f5bea76ffac05afbe19274595801184e.exe	febcldoukq.exe

C:\Users\Admin\AppData\Local\Temp\f5bea76ffac05afbe19274595801184e.exe
"C:\Users\Admin\AppData\Local\Temp\f5bea76ffac05afbe19274595801184e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
"C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe" C:\Users\Admin\AppData\Local\Temp\uebzn.cef
2⤵
- Executes dropped EXE
PID:804

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\febcldoukq.exe
Filesize
144KB

MD5
96e050f99502fe7c52fd9b0f10202578

SHA1
9ace01d602e21ff8bf364a3bb2f46bc7fd285a7b

SHA256
c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3

SHA512
e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e

Download Submit
\Users\Admin\AppData\Local\Temp\febcldoukq.exe
Filesize
144KB

MD5
96e050f99502fe7c52fd9b0f10202578

SHA1
9ace01d602e21ff8bf364a3bb2f46bc7fd285a7b

SHA256
c7207f58e7a5bad6efc38c7ddfddbc3b32c28f6bba01d4251a44f6bbdabe4bc3

SHA512
e09edf0c05667fd2b684ad48f6938a0fb41c9b346197d5065fe828093789140b1a1f79279d8504428c9ba0b8049fad9d7242015c43b746c854688aa883898e1e

Download Submit
memory/804-56-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download