Analysis
-
max time kernel
55s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 09:23
Behavioral task
behavioral1
Sample
fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe
Resource
win10v2004-20220901-en
General
-
Target
fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe
-
Size
100KB
-
MD5
9b72b4ed31ddd4d6c0ed9f5bf5575e4e
-
SHA1
a8858bfbc6cccd287a59121deb3e59d2e24692e3
-
SHA256
fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29
-
SHA512
b3a39e1ac30ae6159a9dd40c2ceb3b175f6b29e6b4e1581d11af16082f12f3f6530b39c7938d9f7ee59a6428d387a1ef621b6538fd766f88aceeb87132aa22fc
-
SSDEEP
1536:N8GH2R6HJSpuSSLF+kqsaeyFUqcPoG3nNl77O+OtI7bvnkhXLavWO23:N8O2KOSLgk5yGqO3NllnkevA3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 832 Server.exe -
Loads dropped DLL 2 IoCs
pid Process 1868 fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe 2032 dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1868 wrote to memory of 832 1868 fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe 27 PID 1868 wrote to memory of 832 1868 fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe 27 PID 1868 wrote to memory of 832 1868 fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe 27 PID 1868 wrote to memory of 832 1868 fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe 27 PID 832 wrote to memory of 2032 832 Server.exe 28 PID 832 wrote to memory of 2032 832 Server.exe 28 PID 832 wrote to memory of 2032 832 Server.exe 28 PID 832 wrote to memory of 2032 832 Server.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe"C:\Users\Admin\AppData\Local\Temp\fce8fea99f6e669c66c054300463667affb91064569fdcd1680f2d7db9307f29.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 3963⤵
- Loads dropped DLL
PID:2032
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD508d98ec46fe61ad362d0cfb5ea57c279
SHA1f097f0d0577b2b30b461ecdefbcf755995b1c003
SHA25615e170caea70f4fa0ab04345426a32c0e632ae6ca2148e1f6e2a9a0e20afa4d6
SHA5124c740aaad6e1ed79f82a5b7b486900ad6882c11db0b9f10529d1fc22dc04b0dd0e282b2b1fd304a17113740c5ca85dc44aeac2451dfddcc35e35da2081464bcc
-
Filesize
40KB
MD508d98ec46fe61ad362d0cfb5ea57c279
SHA1f097f0d0577b2b30b461ecdefbcf755995b1c003
SHA25615e170caea70f4fa0ab04345426a32c0e632ae6ca2148e1f6e2a9a0e20afa4d6
SHA5124c740aaad6e1ed79f82a5b7b486900ad6882c11db0b9f10529d1fc22dc04b0dd0e282b2b1fd304a17113740c5ca85dc44aeac2451dfddcc35e35da2081464bcc
-
Filesize
40KB
MD508d98ec46fe61ad362d0cfb5ea57c279
SHA1f097f0d0577b2b30b461ecdefbcf755995b1c003
SHA25615e170caea70f4fa0ab04345426a32c0e632ae6ca2148e1f6e2a9a0e20afa4d6
SHA5124c740aaad6e1ed79f82a5b7b486900ad6882c11db0b9f10529d1fc22dc04b0dd0e282b2b1fd304a17113740c5ca85dc44aeac2451dfddcc35e35da2081464bcc
-
Filesize
40KB
MD508d98ec46fe61ad362d0cfb5ea57c279
SHA1f097f0d0577b2b30b461ecdefbcf755995b1c003
SHA25615e170caea70f4fa0ab04345426a32c0e632ae6ca2148e1f6e2a9a0e20afa4d6
SHA5124c740aaad6e1ed79f82a5b7b486900ad6882c11db0b9f10529d1fc22dc04b0dd0e282b2b1fd304a17113740c5ca85dc44aeac2451dfddcc35e35da2081464bcc