af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613

Analysis

max time kernel
185s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613.exe
Size

1.4MB
MD5

551ceee6694f808b39713b83565831cd
SHA1

2946a8af64fcce930f32607969e70258aa70e835
SHA256

af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613
SHA512

bcdddad51c0f776b167687561d90f16911c3963744d3893b7f1f39d46dde4e96aea66ec7c1555f17ead06e865873ad9498c2a5ee0e71ba3c5ac50b4bbe531256
SSDEEP

24576:rEOG/tKVb6bNBecPS+v9jS7AokrbL2xby/GvCwVXmOArqID/uf2IB:rEOGFKOzKCV5b65oGz2aZB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4704	is-3TN11.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4704	4304	af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613.exe	82
PID 4304 wrote to memory of 4704	4304	af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613.exe	82
PID 4304 wrote to memory of 4704	4304	af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613.exe	82

C:\Users\Admin\AppData\Local\Temp\af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613.exe
"C:\Users\Admin\AppData\Local\Temp\af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\is-ACGC5.tmp\is-3TN11.tmp
  C:\Users\Admin\AppData\Local\Temp\is-ACGC5.tmp\is-3TN11.tmp /SL4 $D01DA C:\Users\Admin\AppData\Local\Temp\af1f70ab517b28992a0208f086022a5873501f4d30673f6b48312f8391096613.exe 1456611 68096
  2⤵
  - Executes dropped EXE
  PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ACGC5.tmp\is-3TN11.tmp

Filesize
542KB

MD5
7f89ee4b959ddc9eb34d3db7196c9537

SHA1
d8f8939a39dd4294c04532fc730398b51434f9c9

SHA256
a6e5c93270dc4826d66d00ef5729b0ecfe43fa9250f861f464a071d3915ceb05

SHA512
0f40ea85a7a1add8966fa8e6a20420569626107c65667d8bdd7e497c9e437e861fbc468d9405e048e843fe255bc104b2dbceb6cfcdb0767e306f93b17c8d3141

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ACGC5.tmp\is-3TN11.tmp

Filesize
542KB

MD5
7f89ee4b959ddc9eb34d3db7196c9537

SHA1
d8f8939a39dd4294c04532fc730398b51434f9c9

SHA256
a6e5c93270dc4826d66d00ef5729b0ecfe43fa9250f861f464a071d3915ceb05

SHA512
0f40ea85a7a1add8966fa8e6a20420569626107c65667d8bdd7e497c9e437e861fbc468d9405e048e843fe255bc104b2dbceb6cfcdb0767e306f93b17c8d3141

Download Submit
memory/4304-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4304-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4304-135-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download