c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86

Analysis

max time kernel
157s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 19:35

Target

c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
Size

34KB
MD5

22433b312ce49b70b9f4e0faa6afcb48
SHA1

021a92937aa884de83d8787a273e747c48d52c63
SHA256

c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86
SHA512

7f6ccecdeabb503d8559e654530a8d2fb24e8511f5f7a13753ded6bbaaab2d5efb0eaa0726cb5958957fe247966bf2120e47cc5e86ddeef3a943739ab96d9a24
SSDEEP

768:GwkBWuF+Wk5uMXYxiGmsox40ebUKAUdI2gQa5WND1QHQ:GBBWuFfw7YxitsoL/+mVYuw

Score

7^/10

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\pXt14.com	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
File created	C:\Windows\Fonts\pXt14.com	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2708	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe
2708	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82
PID 936 wrote to memory of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82
PID 936 wrote to memory of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82
PID 936 wrote to memory of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82
PID 936 wrote to memory of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82
PID 936 wrote to memory of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82
PID 936 wrote to memory of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82
PID 936 wrote to memory of 2708	936	c1ee585fa63d520dcaac8f9ab1861f5ca610051213f45b1ad09d124c5cb49d86.exe	82

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2572

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2708-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2708-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2708-136-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2708-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download