ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a

Analysis

max time kernel
3s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe
Size

313KB
MD5

b3aee08d6c40c59ef0810ce481789280
SHA1

f87f64080fa289a9bd667b3de05a2073b8618478
SHA256

ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a
SHA512

0f9caa37a7c2377f08687030d26ab099a7b754530a3d05195bb38bfa84a49d77fffd85835edfb0126d5fd1654ebd19aa5f0a4cbf35d9dc6a50d9724176f36657
SSDEEP

6144:yijYe4VGbYuIo0B+3O0r18i1rX3Lw1nivWE7E8IGL2YYyhRyhHGoSn4dDgovXsQ:yw4VrnwZ88rX3inszLyHG6mKL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1528	msmns.exe

Loads dropped DLL 2 IoCs

pid	Process
1232	ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe
1232	ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msmns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmgs = "C:\\Arquivos de programas\\Arquivos comuns\\msmns.exe"	msmns.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1528	1232	ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe	28
PID 1232 wrote to memory of 1528	1232	ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe	28
PID 1232 wrote to memory of 1528	1232	ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe	28
PID 1232 wrote to memory of 1528	1232	ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe	28

C:\Users\Admin\AppData\Local\Temp\ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe
"C:\Users\Admin\AppData\Local\Temp\ce096abe79fd05472e90433030f374b6177cf1d99aa715e451e6de356647aa0a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Arquivos de programas\Arquivos comuns\msmns.exe\msmns.exe
  "C:\Arquivos de programas\Arquivos comuns\msmns.exe\msmns.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Arquivos de programas\Arquivos comuns\msmns.exe\msmns.exe

Filesize
516KB

MD5
35847adf70f8ef2c8e9f791aed071518

SHA1
ee4a0cad012f8e56d91fa793b6c9f27f4c1d6052

SHA256
9795831e1a4252176119450777d69897b4952676be59a888c4325139ff53c5e0

SHA512
d3ee317625666c264a9bbb8644ca024dddff44287dfb0ea9524c4894b11667b763300e09d6937dfaf4326535979f0fde1121813305439f03ccbe46b6309be5f0

Download Submit
\Arquivos de programas\Arquivos comuns\msmns.exe\msmns.exe

Filesize
516KB

MD5
35847adf70f8ef2c8e9f791aed071518

SHA1
ee4a0cad012f8e56d91fa793b6c9f27f4c1d6052

SHA256
9795831e1a4252176119450777d69897b4952676be59a888c4325139ff53c5e0

SHA512
d3ee317625666c264a9bbb8644ca024dddff44287dfb0ea9524c4894b11667b763300e09d6937dfaf4326535979f0fde1121813305439f03ccbe46b6309be5f0

Download Submit
\Arquivos de programas\Arquivos comuns\msmns.exe\msmns.exe

Filesize
516KB

MD5
35847adf70f8ef2c8e9f791aed071518

SHA1
ee4a0cad012f8e56d91fa793b6c9f27f4c1d6052

SHA256
9795831e1a4252176119450777d69897b4952676be59a888c4325139ff53c5e0

SHA512
d3ee317625666c264a9bbb8644ca024dddff44287dfb0ea9524c4894b11667b763300e09d6937dfaf4326535979f0fde1121813305439f03ccbe46b6309be5f0

Download Submit
memory/1232-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download