7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e

Analysis

max time kernel
108s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe
Size

5.7MB
MD5

11f6cae0bac15a1af57acba9b18f3ba5
SHA1

6eac8bae2bfdd4d2745ac042e7020ae971b625e6
SHA256

7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e
SHA512

e7f4fb5bd32dc39d7ad7b83fa5c0360445b827a0612746a492520f664bfba9acf794dd3f61a6a741e44254a562587931a1d08edc7c1259a6b912aa82def72d37
SSDEEP

24576:BezRofZVtQ6eE9/RfP5yRToNO5jUFezRofZVtQ6eE9/RfP5yRToNO5jUFezRofZw:3N+IC4ra1oMFCSVBKrfRm

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2028	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28
PID 1224 wrote to memory of 2028	1224	7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe	28

C:\Users\Admin\AppData\Local\Temp\7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe
"C:\Users\Admin\AppData\Local\Temp\7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe
  "C:\Users\Admin\AppData\Local\Temp\7f4940e99aaa52e00afaa4cde35735b807d7e3ea127c92046a072f1907bfc40e.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-54-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-55-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-57-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-59-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-60-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-62-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-64-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-66-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-68-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-69-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-70-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/2028-71-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2028-72-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download