6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 16:58

Target

6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.exe
Size

298KB
MD5

84f74986ab1ec41d699ef20ad818b15b
SHA1

c71731439c6cba022b23deaa318c76c1c2ce89c4
SHA256

6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8
SHA512

d8c0d1f3f56a99708f7f69318d3880c8f2a9143c8a0ec1e65f3a7e2f6fb74bea29d1f56ce07ef5d148c9fbdfb8e1455665784995282e5c98dc3adfb5ee6ecd00
SSDEEP

6144:odYsr96Cbovg0heb2lXOlbE6eWPPpf7dzak0XI56J/bFRyfUb:Bsr96CWg0he6OlQwP579se6J/bsUb

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
5060	6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 5060	4276	6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.exe	78
PID 4276 wrote to memory of 5060	4276	6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.exe	78
PID 4276 wrote to memory of 5060	4276	6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.exe	78

C:\Users\Admin\AppData\Local\Temp\6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.exe
"C:\Users\Admin\AppData\Local\Temp\6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\is-R75LN.tmp\6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R75LN.tmp\6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.tmp" /SL5="$C0048,60363,51712,C:\Users\Admin\AppData\Local\Temp\6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.exe"
  2⤵
  - Executes dropped EXE
  PID:5060

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\is-R75LN.tmp\6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.tmp

Filesize
693KB

MD5
82e31dc1c0fa036f7dfaff76c13003cf

SHA1
2642671a2faf72af7d64e953b49e62f538d53824

SHA256
db6aa814463fa84a36bd66efacfaa1b91f92ba658b7145fabf5f6ee018e4c634

SHA512
86f09d6387fedf6cfec7edd1e93ad89898377e314baaf75dc090194c3af17339a592ba5342c5240be4f9a12bbc40f621062226660b32047843564037155b3641

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R75LN.tmp\6321dcbf0e7d1fb40208b08b96b2e4c24a7a4d578bacff7a45e831b0f487edd8.tmp

Filesize
693KB

MD5
82e31dc1c0fa036f7dfaff76c13003cf

SHA1
2642671a2faf72af7d64e953b49e62f538d53824

SHA256
db6aa814463fa84a36bd66efacfaa1b91f92ba658b7145fabf5f6ee018e4c634

SHA512
86f09d6387fedf6cfec7edd1e93ad89898377e314baaf75dc090194c3af17339a592ba5342c5240be4f9a12bbc40f621062226660b32047843564037155b3641

Download Submit
memory/4276-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4276-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4276-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download