a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59

Analysis

max time kernel
24s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 00:05

Target

a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe
Size

245KB
MD5

a3becd0d67e4de477bf1a0ba9600e5f4
SHA1

a06dc2589c61b02de99ec5123a44031ad67a06ee
SHA256

a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59
SHA512

bb44001293736c57624eed9a80e7d65f98a105639733836467dd82d7fec90f706090b8b631da33b58149ab45c1272cc69d3a6dca9ae87e6f8daae327c5a63a39
SSDEEP

6144:MvbP36OAaAQal+Dmn3cpSE6cr5FnBkU5ZR2:gr3v/ralsG3C66qUzR2

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1740	1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	28
PID 1756 wrote to memory of 1740	1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	28
PID 1756 wrote to memory of 1740	1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	28
PID 1756 wrote to memory of 1740	1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	28
PID 1756 wrote to memory of 1740	1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	28
PID 1756 wrote to memory of 1740	1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	28
PID 1756 wrote to memory of 1740	1756	a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe	28

C:\Users\Admin\AppData\Local\Temp\a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe
"C:\Users\Admin\AppData\Local\Temp\a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c move "C:\Users\Admin\AppData\Local\Temp\~@fs851aa623" "C:\Users\Admin\AppData\Local\Temp\a36531a371a6e7d56793d6e79d4e92bf5b2312691e0cc602495bac03f0c46d59.exe" > nul
  2⤵
  PID:1740

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\~@fs851aa623

Filesize
245KB

MD5
002aade33665e46b9d70db444f388f7b

SHA1
3a9e8d95e95442f9dfd4a8fa514d8ccd254c7f53

SHA256
17a5cbaa94aa3c40f82ff2dbe5d2f5ec590afac7e39ecbea0f563b77b5eddfbd

SHA512
a032a9c03595cd6a65ff0f099e50a3bdba8eccdadcd547e87de6228d53e2f53696597113716cb4a7c0c843fb2e0941c62b2398bab991402bdf70656bb7718e8a

Download Submit
\Users\Admin\AppData\Local\Temp\MSAPI.DAT

Filesize
188KB

MD5
f4d21a265774c6fe1d037793d5475469

SHA1
3d88e477db19cdc58dd522221684e461176958e6

SHA256
15d4af9f4f9c9f089c995479942cd2d9d3f9ee9cf9587d086da63259d31a7da1

SHA512
6c12967bd310046a6bc5f273a3adbcc0392709b39602ad7470bc45cb3ca22aac106b6003de9dbd4f874368f4864aed26c7ad3751b6e5864a304f3d9b574854c4

Download Submit
memory/1740-56-0x0000000000000000-mapping.dmp

Download
memory/1756-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download