8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
Size

1.1MB
MD5

91b1db7e3292f487f66f3d9c170d6e5e
SHA1

6420eef5b702cb6010c29716fb1c73d83de571c0
SHA256

8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6
SHA512

a335b449aa9160a371a1e0c03c86e13292460455dc72f057613b3ae2491cccf537473006997427129d3efaf00ad944fdd26e9e9f68537bea3d3b60d4e2199bf3
SSDEEP

24576:Ro22Jna7K7GlxW9CGlLxSAty9dvhKR6rVL0vZsHCVcHiEddMJL0:jgaG7QxWAML0AA9JU8rVYhV6SF0

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 6 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1704	netsh.exe
1528	netsh.exe
1416	netsh.exe
2004	netsh.exe
904	netsh.exe
316	netsh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1704	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	26
PID 364 wrote to memory of 1704	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	26
PID 364 wrote to memory of 1704	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	26
PID 364 wrote to memory of 1704	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	26
PID 364 wrote to memory of 1528	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	28
PID 364 wrote to memory of 1528	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	28
PID 364 wrote to memory of 1528	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	28
PID 364 wrote to memory of 1528	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	28
PID 364 wrote to memory of 1416	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	30
PID 364 wrote to memory of 1416	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	30
PID 364 wrote to memory of 1416	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	30
PID 364 wrote to memory of 1416	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	30
PID 364 wrote to memory of 1132	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	32
PID 364 wrote to memory of 1132	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	32
PID 364 wrote to memory of 1132	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	32
PID 364 wrote to memory of 1132	364	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	32
PID 1132 wrote to memory of 2004	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	33
PID 1132 wrote to memory of 2004	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	33
PID 1132 wrote to memory of 2004	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	33
PID 1132 wrote to memory of 2004	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	33
PID 1132 wrote to memory of 904	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	34
PID 1132 wrote to memory of 904	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	34
PID 1132 wrote to memory of 904	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	34
PID 1132 wrote to memory of 904	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	34
PID 1132 wrote to memory of 316	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	37
PID 1132 wrote to memory of 316	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	37
PID 1132 wrote to memory of 316	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	37
PID 1132 wrote to memory of 316	1132	8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe	37

C:\Users\Admin\AppData\Local\Temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
"C:\Users\Admin\AppData\Local\Temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\users\admin\appdata\local\temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe" enable=yes profile=domain
  2⤵
  - Modifies Windows Firewall
  PID:1704
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\users\admin\appdata\local\temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe" enable=yes profile=private
  2⤵
  - Modifies Windows Firewall
  PID:1528
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\users\admin\appdata\local\temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe" enable=yes profile=public
  2⤵
  - Modifies Windows Firewall
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe
  "C:\Users\Admin\AppData\Local\Temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\users\admin\appdata\local\temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe" enable=yes profile=domain
    3⤵
    - Modifies Windows Firewall
    PID:2004
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\users\admin\appdata\local\temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe" enable=yes profile=private
    3⤵
    - Modifies Windows Firewall
    PID:904
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\users\admin\appdata\local\temp\8a299d52e6c5c9190ad19c623539bcb07403f2c1bc92c1f572b330aa9b0cfbb6.exe" enable=yes profile=public
    3⤵
    - Modifies Windows Firewall
    PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-63-0x0000000001D80000-0x0000000001ECD000-memory.dmp

Filesize
1.3MB

Download
memory/364-55-0x0000000001D80000-0x0000000001ECD000-memory.dmp

Filesize
1.3MB

Download
memory/364-56-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1132-79-0x0000000000550000-0x000000000069D000-memory.dmp

Filesize
1.3MB

Download
memory/1132-80-0x0000000000550000-0x000000000069D000-memory.dmp

Filesize
1.3MB

Download