78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe
Size

245KB
MD5

e005a61a0266c90d665a6ba6d4291204
SHA1

40acbf11d86b34900994459a334855e0f1a79f6b
SHA256

78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89
SHA512

3304e45f5f8f12f54c5f99e9c45a9d9426124a838c1c366848ef8e450d289639104c53091953cf3cb3426861d6df413a9f6b03b5e2b297d19155505020673f6e
SSDEEP

6144:iZ58dVwgaXRlOavUbl5ll4DQFu/U3buRKlemZ9DnGAeo9XIsXakKmXzKatx:icdVLahLvUblrl4DQFu/U3buRKlemZ95

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1948	sedit.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sedit.exe	78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe

Loads dropped DLL 2 IoCs

pid	Process
1184	78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe
1184	78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1948	1184	78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe	26
PID 1184 wrote to memory of 1948	1184	78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe	26
PID 1184 wrote to memory of 1948	1184	78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe	26
PID 1184 wrote to memory of 1948	1184	78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe	26

C:\Users\Admin\AppData\Local\Temp\78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe
"C:\Users\Admin\AppData\Local\Temp\78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sedit.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sedit.exe"
  2⤵
  - Executes dropped EXE
  PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sedit.exe

Filesize
245KB

MD5
e005a61a0266c90d665a6ba6d4291204

SHA1
40acbf11d86b34900994459a334855e0f1a79f6b

SHA256
78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89

SHA512
3304e45f5f8f12f54c5f99e9c45a9d9426124a838c1c366848ef8e450d289639104c53091953cf3cb3426861d6df413a9f6b03b5e2b297d19155505020673f6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sedit.exe

Filesize
245KB

MD5
e005a61a0266c90d665a6ba6d4291204

SHA1
40acbf11d86b34900994459a334855e0f1a79f6b

SHA256
78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89

SHA512
3304e45f5f8f12f54c5f99e9c45a9d9426124a838c1c366848ef8e450d289639104c53091953cf3cb3426861d6df413a9f6b03b5e2b297d19155505020673f6e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sedit.exe

Filesize
245KB

MD5
e005a61a0266c90d665a6ba6d4291204

SHA1
40acbf11d86b34900994459a334855e0f1a79f6b

SHA256
78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89

SHA512
3304e45f5f8f12f54c5f99e9c45a9d9426124a838c1c366848ef8e450d289639104c53091953cf3cb3426861d6df413a9f6b03b5e2b297d19155505020673f6e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sedit.exe

Filesize
245KB

MD5
e005a61a0266c90d665a6ba6d4291204

SHA1
40acbf11d86b34900994459a334855e0f1a79f6b

SHA256
78e3b115df400157e292c1bfd8e9e1ceab7bed04212349d29e28e0e17cb95b89

SHA512
3304e45f5f8f12f54c5f99e9c45a9d9426124a838c1c366848ef8e450d289639104c53091953cf3cb3426861d6df413a9f6b03b5e2b297d19155505020673f6e

Download Submit
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download