Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 20:49
Static task
static1
Behavioral task
behavioral1
Sample
19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe
Resource
win7-20220901-en
General
-
Target
19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe
-
Size
260KB
-
MD5
d7f70f86875fb3aadfa0228690652fb3
-
SHA1
40745191f6897210d46c023259ac17084ebe0f12
-
SHA256
19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca
-
SHA512
528a947c1219faeb14585ab9e5dbfd23cc2a8aaf1bbaa11fdff13699c904bdf5364c149de26fb91ba134d737d82d7208144d9036c0dc3f88ff56357fd8cb2701
-
SSDEEP
6144:QBn1/WI+GjGGWQ51zoG0cm9TsMhKULa2OEmQV2:g/nVGGZPoDceTXhxL2Pp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
leqls.exepid process 900 leqls.exe -
Loads dropped DLL 1 IoCs
Processes:
19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exepid process 2024 19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exedescription pid process target process PID 2024 wrote to memory of 900 2024 19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe leqls.exe PID 2024 wrote to memory of 900 2024 19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe leqls.exe PID 2024 wrote to memory of 900 2024 19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe leqls.exe PID 2024 wrote to memory of 900 2024 19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe leqls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe"C:\Users\Admin\AppData\Local\Temp\19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\leqls.exe"C:\Users\Admin\AppData\Local\Temp\leqls.exe" C:\Users\Admin\AppData\Local\Temp\aqehglvbxjg.due2⤵
- Executes dropped EXE
PID:900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\leqls.exeFilesize
122KB
MD560b966acbee7b9f4d8481c3b23cc8000
SHA1eb5bce7f660dd412573b416ad83c204300db013c
SHA2560721ce254a8f5f6cd82b702c8971501e4e6db317bdc2bc75cf1ebd30b2a1f5b0
SHA512169996e157a11ff92633e1d23175edd19cdfcd66509e8fed41fbe378117685bbd463f0e9f0e2ed3db3b78499a82ce2ad36a2838c536566ad630c73c9a5c7c177
-
\Users\Admin\AppData\Local\Temp\leqls.exeFilesize
122KB
MD560b966acbee7b9f4d8481c3b23cc8000
SHA1eb5bce7f660dd412573b416ad83c204300db013c
SHA2560721ce254a8f5f6cd82b702c8971501e4e6db317bdc2bc75cf1ebd30b2a1f5b0
SHA512169996e157a11ff92633e1d23175edd19cdfcd66509e8fed41fbe378117685bbd463f0e9f0e2ed3db3b78499a82ce2ad36a2838c536566ad630c73c9a5c7c177
-
memory/900-56-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB