Analysis
-
max time kernel
161s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe
Resource
win7-20221111-en
General
-
Target
1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe
-
Size
279KB
-
MD5
2838dbfc712c09e9797dafb02e1a7f3f
-
SHA1
4107eb23bca94f3adfe6c5ddefcf83b12a4312e8
-
SHA256
1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8
-
SHA512
45af689b9c2881ba67e98551acf62c1c1b9920580e0cb5f4805a9c6a4c0aafa74c0d247c21a0349992684307a362a0f4db251e3f82adb22595aebdbe2acc8b35
-
SSDEEP
6144:jKkCmx7H9i7+iFINAS+S/9M4Fea4qZAU0rZpX6:dCmx7Hg7+vW4o2AU0rZV6
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exepid process 4432 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exedescription pid process target process PID 3032 wrote to memory of 4432 3032 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe PID 3032 wrote to memory of 4432 3032 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe PID 3032 wrote to memory of 4432 3032 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe"C:\Users\Admin\AppData\Local\Temp\1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8.exe--704c6c782⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\slidesonic.exe"C:\Windows\SysWOW64\slidesonic.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3032-132-0x00000000006E0000-0x00000000006F1000-memory.dmpFilesize
68KB
-
memory/3032-133-0x00000000006E0000-0x00000000006F1000-memory.dmpFilesize
68KB
-
memory/3032-134-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3032-135-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3032-137-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3188-140-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/4432-136-0x0000000000000000-mapping.dmp
-
memory/4432-138-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/4432-139-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB