97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 11:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe
Size

772KB
MD5

483e6256fa77f7d99d0b78f9ed8a81db
SHA1

e52d6c71d7ff0897c477be862c6268d1957ed15d
SHA256

97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34
SHA512

37eebccd8e993630a6af7369e57180db155253a85de47dfd6812bb7dde196ff4c5ff7bdbec53415dc662cdd79e1d71b85fb6a958d1b566b247724106794cebdc
SSDEEP

6144:Rhb5oqpMUyN+OukephOMa3fmWD5717akmdvfdlVZPJAVgys7X+Qi9jOI:RJ9yN+Oukn7mWD57wbvPPuRsLS9jn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
668	filedrop1.exe
1476	filedrop2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 668	1324	97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe	28
PID 1324 wrote to memory of 668	1324	97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe	28
PID 1324 wrote to memory of 668	1324	97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe	28
PID 1324 wrote to memory of 668	1324	97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe	28
PID 1324 wrote to memory of 1476	1324	97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe	29
PID 1324 wrote to memory of 1476	1324	97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe	29
PID 1324 wrote to memory of 1476	1324	97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe	29
PID 1324 wrote to memory of 1476	1324	97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe	29

C:\Users\Admin\AppData\Local\Temp\97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe
"C:\Users\Admin\AppData\Local\Temp\97019b3f22e843f71b5bd90df618a22c85410626de152ca0bcd690f8df27fa34.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\filedrop1.exe
  "C:\Users\Admin\AppData\Local\Temp\filedrop1.exe"
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Users\Admin\AppData\Local\Temp\filedrop2.exe
  "C:\Users\Admin\AppData\Local\Temp\filedrop2.exe"
  2⤵
  - Executes dropped EXE
  PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\filedrop1.exe

Filesize
74KB

MD5
8fd8ffe88c6064ec79b23da39aa7ce23

SHA1
093bb78070b3175e0c7e54fdb457d8e219ad7b99

SHA256
c24e0774e39a5eb5e77480ba7a23971ebebc8de0e8d781d5898d340ba49ea259

SHA512
a07ea982ff8cad0edcf841906c6473222fc6dd3ce74eefb9f6bdf349f83d24887ae5734a4ce94ed6a9cd9ce31a69abe694c8efe4bc04d5182bccc24e79ee1ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\filedrop1.exe

Filesize
74KB

MD5
8fd8ffe88c6064ec79b23da39aa7ce23

SHA1
093bb78070b3175e0c7e54fdb457d8e219ad7b99

SHA256
c24e0774e39a5eb5e77480ba7a23971ebebc8de0e8d781d5898d340ba49ea259

SHA512
a07ea982ff8cad0edcf841906c6473222fc6dd3ce74eefb9f6bdf349f83d24887ae5734a4ce94ed6a9cd9ce31a69abe694c8efe4bc04d5182bccc24e79ee1ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\filedrop2.exe

Filesize
302KB

MD5
93b95d055a6e1c5a6ce67cff322540c8

SHA1
616fc7fb0938440f322414ecbd334bdbd0a52a7e

SHA256
4ebca108b0e926042c4a647d641bf5f45c510c6d619434373028083cac49b840

SHA512
88bc2744ef141adefd0332056d8f9dbba2b04c378384d0572ca9a6c4b5596f9677f755214db7583f5c3c486a21d690a8a4e9fcf39f236020c48994ea91e4771a

Download Submit
C:\Users\Admin\AppData\Local\Temp\filedrop2.exe

Filesize
302KB

MD5
93b95d055a6e1c5a6ce67cff322540c8

SHA1
616fc7fb0938440f322414ecbd334bdbd0a52a7e

SHA256
4ebca108b0e926042c4a647d641bf5f45c510c6d619434373028083cac49b840

SHA512
88bc2744ef141adefd0332056d8f9dbba2b04c378384d0572ca9a6c4b5596f9677f755214db7583f5c3c486a21d690a8a4e9fcf39f236020c48994ea91e4771a

Download Submit
memory/668-63-0x0000000000B80000-0x0000000000B9A000-memory.dmp

Filesize
104KB

Download
memory/1324-54-0x000007FEF37E0000-0x000007FEF4203000-memory.dmp

Filesize
10.1MB

Download
memory/1324-55-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download
memory/1476-62-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1476-64-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1476-66-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download