a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe
Size

678KB
MD5

3d0c6da1340e644dde589f11b0d0f586
SHA1

8b4648398a548cc933ae17b8d288d82de6d6bfc4
SHA256

a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a
SHA512

da9a82028450e472dff78fd32e77162e0b667d15edaeecbc23ecab847517a78cc2fb31183b43b95300ece8b0b77b2af728f759ad65c97e70a0b61f52dffefeb2
SSDEEP

12288:QfZw/ja6bw4SH3eC2bfm53/5d9lkBJC3JFNAg1t6s01zUlW:sZw/jx5SHT4e5v5d9lkBJCqhd1zU8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
592	30horas.exe

Loads dropped DLL 3 IoCs

pid	Process
1000	a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe
592	30horas.exe
592	30horas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 592	1000	a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe	27
PID 1000 wrote to memory of 592	1000	a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe	27
PID 1000 wrote to memory of 592	1000	a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe	27
PID 1000 wrote to memory of 592	1000	a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe	27
PID 1000 wrote to memory of 592	1000	a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe	27
PID 1000 wrote to memory of 592	1000	a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe	27
PID 1000 wrote to memory of 592	1000	a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe	27

C:\Users\Admin\AppData\Local\Temp\a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe
"C:\Users\Admin\AppData\Local\Temp\a3d2e3cb59e1babbd41a061675a142ea154f5714dc83cb1888c33be15731714a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\30horas.exe
  "C:\Users\Admin\AppData\Local\Temp\30horas.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30horas.exe

Filesize
5.0MB

MD5
6e5e89ea2138ff431dfa979b35724a4e

SHA1
2ca6f14dfd8cac6706780a4075870ff9a581d0d5

SHA256
7b188db570f79a8d3d5aee2bee82785b2a921bd948581e89ad462f2635515872

SHA512
5f754e1469de8c027b82c710a3b8ce68e4072545681b2abb52e40f037c49119fffeffc3591745d8966ab75bd5ced65a2cce3c6dcbd16fc0a443a8a488c777bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\30horas.exe

Filesize
5.0MB

MD5
6e5e89ea2138ff431dfa979b35724a4e

SHA1
2ca6f14dfd8cac6706780a4075870ff9a581d0d5

SHA256
7b188db570f79a8d3d5aee2bee82785b2a921bd948581e89ad462f2635515872

SHA512
5f754e1469de8c027b82c710a3b8ce68e4072545681b2abb52e40f037c49119fffeffc3591745d8966ab75bd5ced65a2cce3c6dcbd16fc0a443a8a488c777bbf

Download Submit
\Users\Admin\AppData\Local\Temp\30horas.exe

Filesize
5.0MB

MD5
6e5e89ea2138ff431dfa979b35724a4e

SHA1
2ca6f14dfd8cac6706780a4075870ff9a581d0d5

SHA256
7b188db570f79a8d3d5aee2bee82785b2a921bd948581e89ad462f2635515872

SHA512
5f754e1469de8c027b82c710a3b8ce68e4072545681b2abb52e40f037c49119fffeffc3591745d8966ab75bd5ced65a2cce3c6dcbd16fc0a443a8a488c777bbf

Download Submit
\Users\Admin\AppData\Local\Temp\30horas.exe

Filesize
5.0MB

MD5
6e5e89ea2138ff431dfa979b35724a4e

SHA1
2ca6f14dfd8cac6706780a4075870ff9a581d0d5

SHA256
7b188db570f79a8d3d5aee2bee82785b2a921bd948581e89ad462f2635515872

SHA512
5f754e1469de8c027b82c710a3b8ce68e4072545681b2abb52e40f037c49119fffeffc3591745d8966ab75bd5ced65a2cce3c6dcbd16fc0a443a8a488c777bbf

Download Submit
\Users\Admin\AppData\Local\Temp\30horas.exe

Filesize
5.0MB

MD5
6e5e89ea2138ff431dfa979b35724a4e

SHA1
2ca6f14dfd8cac6706780a4075870ff9a581d0d5

SHA256
7b188db570f79a8d3d5aee2bee82785b2a921bd948581e89ad462f2635515872

SHA512
5f754e1469de8c027b82c710a3b8ce68e4072545681b2abb52e40f037c49119fffeffc3591745d8966ab75bd5ced65a2cce3c6dcbd16fc0a443a8a488c777bbf

Download Submit
memory/592-56-0x0000000000000000-mapping.dmp

Download
memory/1000-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download