19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe
Size

260KB
MD5

d7f70f86875fb3aadfa0228690652fb3
SHA1

40745191f6897210d46c023259ac17084ebe0f12
SHA256

19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca
SHA512

528a947c1219faeb14585ab9e5dbfd23cc2a8aaf1bbaa11fdff13699c904bdf5364c149de26fb91ba134d737d82d7208144d9036c0dc3f88ff56357fd8cb2701
SSDEEP

6144:QBn1/WI+GjGGWQ51zoG0cm9TsMhKULa2OEmQV2:g/nVGGZPoDceTXhxL2Pp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

leqls.exe

pid process

900 leqls.exe
Loads dropped DLL 1 IoCs

Processes:

19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe

pid process

2024 19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
900	leqls.exe

pid	process
2024	19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe

description	pid	process	target process
PID 2024 wrote to memory of 900	2024	19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe	leqls.exe
PID 2024 wrote to memory of 900	2024	19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe	leqls.exe
PID 2024 wrote to memory of 900	2024	19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe	leqls.exe
PID 2024 wrote to memory of 900	2024	19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe	leqls.exe

C:\Users\Admin\AppData\Local\Temp\19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe
"C:\Users\Admin\AppData\Local\Temp\19b1c1a8ae564560a0cbf3382bd566fd6b70c4a685d86dbd64f25fe01cc17cca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\leqls.exe
"C:\Users\Admin\AppData\Local\Temp\leqls.exe" C:\Users\Admin\AppData\Local\Temp\aqehglvbxjg.due
2⤵
- Executes dropped EXE
PID:900

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\leqls.exe
Filesize
122KB

MD5
60b966acbee7b9f4d8481c3b23cc8000

SHA1
eb5bce7f660dd412573b416ad83c204300db013c

SHA256
0721ce254a8f5f6cd82b702c8971501e4e6db317bdc2bc75cf1ebd30b2a1f5b0

SHA512
169996e157a11ff92633e1d23175edd19cdfcd66509e8fed41fbe378117685bbd463f0e9f0e2ed3db3b78499a82ce2ad36a2838c536566ad630c73c9a5c7c177

Download Submit
\Users\Admin\AppData\Local\Temp\leqls.exe
Filesize
122KB

MD5
60b966acbee7b9f4d8481c3b23cc8000

SHA1
eb5bce7f660dd412573b416ad83c204300db013c

SHA256
0721ce254a8f5f6cd82b702c8971501e4e6db317bdc2bc75cf1ebd30b2a1f5b0

SHA512
169996e157a11ff92633e1d23175edd19cdfcd66509e8fed41fbe378117685bbd463f0e9f0e2ed3db3b78499a82ce2ad36a2838c536566ad630c73c9a5c7c177

Download Submit
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download