Analysis
-
max time kernel
384s -
max time network
452s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 15:36
Behavioral task
behavioral1
Sample
c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
General
-
Target
c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe
-
Size
116KB
-
MD5
89368f12753a9657d1a0c7fe1817aa8c
-
SHA1
6ae1889a752a23479550c037647e2d8bc60601f4
-
SHA256
c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf
-
SHA512
2b646be52e62d3bc487acc26def7dc25fb9876bddbaf5bbc25b30f17e911c340067e6cbbe0976fa6ab1a7530e663dad01d3a3adf1049f5d83f1d5c6c9ef27bc1
-
SSDEEP
3072:b8ENSRg5KrR52iOG7jWXlnYNav5KLdIIPst5tKRlU:b8KSRg5KPHOGErRKL6GgZ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exepid process 1848 c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exebearslics.exedescription pid process target process PID 4196 wrote to memory of 1848 4196 c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe PID 4196 wrote to memory of 1848 4196 c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe PID 4196 wrote to memory of 1848 4196 c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe PID 1552 wrote to memory of 2056 1552 bearslics.exe bearslics.exe PID 1552 wrote to memory of 2056 1552 bearslics.exe bearslics.exe PID 1552 wrote to memory of 2056 1552 bearslics.exe bearslics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe"C:\Users\Admin\AppData\Local\Temp\c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3be44de65945ca8ee4da7fa1ac8d3d33bc098960c717657ab3f62462ae07ddf.exe--70751afc2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\bearslics.exe"C:\Windows\SysWOW64\bearslics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bearslics.exe--8a9b76222⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1552-138-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1552-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1848-141-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1848-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1848-137-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1848-134-0x0000000000000000-mapping.dmp
-
memory/2056-140-0x0000000000000000-mapping.dmp
-
memory/2056-142-0x0000000000490000-0x00000000004A1000-memory.dmpFilesize
68KB
-
memory/2056-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2056-144-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4196-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4196-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4196-132-0x0000000000670000-0x0000000000681000-memory.dmpFilesize
68KB