02a2a44548d03be7cbc7276014f36ad14b6238694864f0ba481b2303ee387cfb

Analysis

max time kernel
35s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FACTURE AVEC TVA.exe
Size

239KB
MD5

62e00c3a2ab7efb375892ccf1024a3fd
SHA1

fa3d67066ad84410aeb1618c7f753f1a2896390d
SHA256

02a2a44548d03be7cbc7276014f36ad14b6238694864f0ba481b2303ee387cfb
SHA512

24205b1de8568b89eb2348b2a2cb2c0f3f1bd93e73d6f2e4acb4bfffb69112a8e801f577cdc640413f079852cde6818cb0e712acd09c42a8407254c0debc8ba6
SSDEEP

6144:QBn1zdM7q6aFrQWloaSP/EyNaaEf32j0CmhusYi9BaEZRdFWV:gzdQqFFvz6/pNazU0CmXPZ/FWV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uqxnynobr.exe

pid process

896 uqxnynobr.exe
Loads dropped DLL 2 IoCs

Processes:

FACTURE AVEC TVA.exe

pid process

1992 FACTURE AVEC TVA.exe
1992 FACTURE AVEC TVA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
896	uqxnynobr.exe

pid	process
1992	FACTURE AVEC TVA.exe
1992	FACTURE AVEC TVA.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

FACTURE AVEC TVA.exe

description	pid	process	target process
PID 1992 wrote to memory of 896	1992	FACTURE AVEC TVA.exe	uqxnynobr.exe
PID 1992 wrote to memory of 896	1992	FACTURE AVEC TVA.exe	uqxnynobr.exe
PID 1992 wrote to memory of 896	1992	FACTURE AVEC TVA.exe	uqxnynobr.exe
PID 1992 wrote to memory of 896	1992	FACTURE AVEC TVA.exe	uqxnynobr.exe

C:\Users\Admin\AppData\Local\Temp\FACTURE AVEC TVA.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURE AVEC TVA.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
"C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe" C:\Users\Admin\AppData\Local\Temp\ztuecd.tu
2⤵
- Executes dropped EXE
PID:896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
Filesize
59KB

MD5
5c274179ecd4defdf1bd20db9a9c860e

SHA1
4ec2eee3235b621dcb4399121d0bbcb29f71b9a8

SHA256
4111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d

SHA512
9f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10

Download Submit
\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
Filesize
59KB

MD5
5c274179ecd4defdf1bd20db9a9c860e

SHA1
4ec2eee3235b621dcb4399121d0bbcb29f71b9a8

SHA256
4111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d

SHA512
9f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10

Download Submit
\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
Filesize
59KB

MD5
5c274179ecd4defdf1bd20db9a9c860e

SHA1
4ec2eee3235b621dcb4399121d0bbcb29f71b9a8

SHA256
4111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d

SHA512
9f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10

Download Submit
memory/896-57-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download