Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 12:49
Static task
static1
Behavioral task
behavioral1
Sample
ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe
Resource
win10v2004-20221111-en
General
-
Target
ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe
-
Size
1.3MB
-
MD5
50483428535f9c6b9069907a1e10836c
-
SHA1
6bbfafef42ecb2a3da33a2603470bcf14a0cac5a
-
SHA256
ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf
-
SHA512
8af99ec233ec7b90d9e2c75a221824da2c90417440baae654246e926467e555eaa693168881ff8f7292937871d1a7088bfd993426e1ec8e57adcf06cee7b14ea
-
SSDEEP
24576:hSt9NvZJSIIIX1Vg2mYwPB+SKbqvjxbkU0RQusKusj:m8XISlb55w
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2024 smse.exe -
Deletes itself 1 IoCs
pid Process 1392 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe 2024 smse.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 992 wrote to memory of 2024 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe 27 PID 992 wrote to memory of 2024 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe 27 PID 992 wrote to memory of 2024 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe 27 PID 992 wrote to memory of 2024 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe 27 PID 992 wrote to memory of 1392 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe 28 PID 992 wrote to memory of 1392 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe 28 PID 992 wrote to memory of 1392 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe 28 PID 992 wrote to memory of 1392 992 ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe"C:\Users\Admin\AppData\Local\Temp\ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\tmpXP26\smse.exe"C:\Users\Admin\AppData\Local\Temp\tmpXP26\smse.exe" smse tmpXP262⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$Windows$$.bat2⤵
- Deletes itself
PID:1392
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248B
MD55a8d55f51a01bf4f7fc74038f5a1fd78
SHA1adb4542ad8086fec51eb63ec2148dcc8ae89ddf2
SHA256e2c83aed2a5b97b5303dbd4505a1fb591e7a1bc4dee4fe2a9193d6b16afc4568
SHA512739db8321c0555e5afcb82d95d99264589caae47655b6525e7a297603c5e0bee3398c2ebf555e7fc58d6a7959bcd73596b97c14ce49589b09beeebff30ebc86a
-
Filesize
1.3MB
MD550483428535f9c6b9069907a1e10836c
SHA16bbfafef42ecb2a3da33a2603470bcf14a0cac5a
SHA256ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf
SHA5128af99ec233ec7b90d9e2c75a221824da2c90417440baae654246e926467e555eaa693168881ff8f7292937871d1a7088bfd993426e1ec8e57adcf06cee7b14ea
-
Filesize
1.3MB
MD550483428535f9c6b9069907a1e10836c
SHA16bbfafef42ecb2a3da33a2603470bcf14a0cac5a
SHA256ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf
SHA5128af99ec233ec7b90d9e2c75a221824da2c90417440baae654246e926467e555eaa693168881ff8f7292937871d1a7088bfd993426e1ec8e57adcf06cee7b14ea