Analysis
-
max time kernel
36s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 19:18
Static task
static1
Behavioral task
behavioral1
Sample
tochi889054.exe
Resource
win7-20220812-en
General
-
Target
tochi889054.exe
-
Size
228KB
-
MD5
0cb9ae3bbda860d66aecf80bb0ecdded
-
SHA1
5da779c51ba99bdd6d116aa07ca85d16ee1a857a
-
SHA256
1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7
-
SHA512
b2a77ce3b04a79547d134b626e906121e3d652880ebb36e40351f5d36b5296e3fbf9c2bc1b626c9b9d5e54a0daa429c9cb224f207abb0072b454657be244da3a
-
SSDEEP
6144:QBn1v53NqFxQea5h5IB5fsirujm4F6L9cFyu:gvtN0QDNILfsiQm46cV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bmdmfha.exepid process 1988 bmdmfha.exe -
Loads dropped DLL 2 IoCs
Processes:
tochi889054.exepid process 1488 tochi889054.exe 1488 tochi889054.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
tochi889054.exedescription pid process target process PID 1488 wrote to memory of 1988 1488 tochi889054.exe bmdmfha.exe PID 1488 wrote to memory of 1988 1488 tochi889054.exe bmdmfha.exe PID 1488 wrote to memory of 1988 1488 tochi889054.exe bmdmfha.exe PID 1488 wrote to memory of 1988 1488 tochi889054.exe bmdmfha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tochi889054.exe"C:\Users\Admin\AppData\Local\Temp\tochi889054.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe"C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe" C:\Users\Admin\AppData\Local\Temp\gcekaersgbe.tp2⤵
- Executes dropped EXE
PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exeFilesize
59KB
MD5f5d6bcc7ed9bcf9591695a11c01b3109
SHA1bb9c76294536e3aa1e41f334b92490465b34b92a
SHA2566244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa
SHA51217fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195
-
\Users\Admin\AppData\Local\Temp\bmdmfha.exeFilesize
59KB
MD5f5d6bcc7ed9bcf9591695a11c01b3109
SHA1bb9c76294536e3aa1e41f334b92490465b34b92a
SHA2566244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa
SHA51217fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195
-
\Users\Admin\AppData\Local\Temp\bmdmfha.exeFilesize
59KB
MD5f5d6bcc7ed9bcf9591695a11c01b3109
SHA1bb9c76294536e3aa1e41f334b92490465b34b92a
SHA2566244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa
SHA51217fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195
-
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1988-57-0x0000000000000000-mapping.dmp