Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 12:49

General

  • Target

    ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe

  • Size

    1.3MB

  • MD5

    50483428535f9c6b9069907a1e10836c

  • SHA1

    6bbfafef42ecb2a3da33a2603470bcf14a0cac5a

  • SHA256

    ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf

  • SHA512

    8af99ec233ec7b90d9e2c75a221824da2c90417440baae654246e926467e555eaa693168881ff8f7292937871d1a7088bfd993426e1ec8e57adcf06cee7b14ea

  • SSDEEP

    24576:hSt9NvZJSIIIX1Vg2mYwPB+SKbqvjxbkU0RQusKusj:m8XISlb55w

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe
    "C:\Users\Admin\AppData\Local\Temp\ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\tmpXP26\smse.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpXP26\smse.exe" smse tmpXP26
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\$$Windows$$.bat
      2⤵
      • Deletes itself
      PID:1392

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\$$Windows$$.bat

    Filesize

    248B

    MD5

    5a8d55f51a01bf4f7fc74038f5a1fd78

    SHA1

    adb4542ad8086fec51eb63ec2148dcc8ae89ddf2

    SHA256

    e2c83aed2a5b97b5303dbd4505a1fb591e7a1bc4dee4fe2a9193d6b16afc4568

    SHA512

    739db8321c0555e5afcb82d95d99264589caae47655b6525e7a297603c5e0bee3398c2ebf555e7fc58d6a7959bcd73596b97c14ce49589b09beeebff30ebc86a

  • C:\Users\Admin\AppData\Local\Temp\tmpXP26\smse.exe

    Filesize

    1.3MB

    MD5

    50483428535f9c6b9069907a1e10836c

    SHA1

    6bbfafef42ecb2a3da33a2603470bcf14a0cac5a

    SHA256

    ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf

    SHA512

    8af99ec233ec7b90d9e2c75a221824da2c90417440baae654246e926467e555eaa693168881ff8f7292937871d1a7088bfd993426e1ec8e57adcf06cee7b14ea

  • \Users\Admin\AppData\Local\Temp\tmpXP26\smse.exe

    Filesize

    1.3MB

    MD5

    50483428535f9c6b9069907a1e10836c

    SHA1

    6bbfafef42ecb2a3da33a2603470bcf14a0cac5a

    SHA256

    ce4da45a6425982048808756deace64dd4f0720fb24f3fa5dfcc058ea1e616cf

    SHA512

    8af99ec233ec7b90d9e2c75a221824da2c90417440baae654246e926467e555eaa693168881ff8f7292937871d1a7088bfd993426e1ec8e57adcf06cee7b14ea

  • memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

    Filesize

    8KB

  • memory/1392-59-0x0000000000000000-mapping.dmp

  • memory/2024-56-0x0000000000000000-mapping.dmp