ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 09:24

Target

ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
Size

126KB
MD5

91e5bf64c9c8c4332cf188efb7de80d0
SHA1

fb8562f2a8d84b6e0c411c381fe64383f6a7e475
SHA256

ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7
SHA512

0749c89d0cfe91f6c7c474aed05f16b7f41cbfffda4e5f3408c490e11d9c4da741a458b8d91f95f574c252cbeb502ba8d833d0731e59ab744aacfb4001314895
SSDEEP

3072:8dwEcppl69FPQpNPQ6//sdFLvQeiN32++6xU+fh370k3hdAf:imppl69Q//sGF+Kp170k3hY

Score

8^/10

Executes dropped EXE 2 IoCs

pid	Process
4632	r.exe
4568	r.exe240546953na.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityid.dll.right.tlb	r.exe240546953na.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityid.dll	r.exe240546953na.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityid.dll.tlb	r.exe240546953na.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityid.dll.move.tlb	r.exe240546953na.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2820	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
4568	r.exe240546953na.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\r.exe	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
File created	C:\Program Files (x86)\r.exe240546953na.exe	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
File opened for modification	C:\Program Files (x86)\r.exe240546953na.exe	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
File created	C:\Program Files (x86)\win	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
File created	C:\Program Files (x86)\r.exe	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2820	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
2820	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
4568	r.exe240546953na.exe
4568	r.exe240546953na.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4632	2820	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe	79
PID 2820 wrote to memory of 4632	2820	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe	79
PID 2820 wrote to memory of 4632	2820	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe	79
PID 4632 wrote to memory of 4568	4632	r.exe	81
PID 4632 wrote to memory of 4568	4632	r.exe	81
PID 4632 wrote to memory of 4568	4632	r.exe	81

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
PID:4504

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Program Files (x86)\r.exe

Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
C:\Program Files (x86)\r.exe240546953na.exe

Filesize
114KB

MD5
cec0558edd55364d25e7a5f690352776

SHA1
185e0704fecd0f96467aff3b5cb7db5c32895a4c

SHA256
537c6aeff3e5fefcd1b55920b6662261a579ea753540193295c872454760ad3a

SHA512
1091286fada69f5ea29adada4751f9530bbd9636c09e77b8f66d81910ff0350be3e450487b1867e8c2b66bbbfffeec9f56ee764162cfb9571c3051571977a7f8

Download Submit
C:\Program Files (x86)\r.exe240546953na.exe

Filesize
114KB

MD5
cec0558edd55364d25e7a5f690352776

SHA1
185e0704fecd0f96467aff3b5cb7db5c32895a4c

SHA256
537c6aeff3e5fefcd1b55920b6662261a579ea753540193295c872454760ad3a

SHA512
1091286fada69f5ea29adada4751f9530bbd9636c09e77b8f66d81910ff0350be3e450487b1867e8c2b66bbbfffeec9f56ee764162cfb9571c3051571977a7f8

Download Submit
memory/2820-132-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4568-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download