af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb

Analysis

max time kernel
6s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 16:02

Target

af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe
Size

162KB
MD5

c4b58d69d59ca4aab31006601fffa345
SHA1

52fccbbba94e38c10ad2a12ac072ad1502d7b738
SHA256

af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb
SHA512

5bb2377b50fcd7e86da13ebf957d4ca77444433709417fcf0d923ced54a5127ad9455a8566eda505e2f1513b26c0231ba13f2a6df3fed85632291261ad1c2a6e
SSDEEP

3072:f9BQf+L0ghfXmsHHFLXPi+8iJeWANdGCDkvo15axIM1L0qETSfH1:f9uWL0gh/mIHFDPi+5J9A6CDexI5VTS9

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
868	new90.exe

Loads dropped DLL 2 IoCs

pid	Process
960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe
960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	new90.exe
868	new90.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 868	960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe	28
PID 960 wrote to memory of 868	960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe	28
PID 960 wrote to memory of 868	960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe	28
PID 960 wrote to memory of 868	960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe	28
PID 960 wrote to memory of 868	960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe	28
PID 960 wrote to memory of 868	960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe	28
PID 960 wrote to memory of 868	960	af5f486f56c1c6f84041e5084de5c0594765561cbf04b6663b945f6e2606b2eb.exe	28

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\new90.exe

Filesize
90KB

MD5
331e62444933e3c2205bce5eecc11a5f

SHA1
72c4405f29778e780d35a9a0fa7d9b76ba596c0e

SHA256
f786808d88d124b94ef63f33529e80628590759ce8b0f2f9310304b6e619eac0

SHA512
f1cbc9081c06a138e52654670dbe9b07433f6e9ff6f6a703089300a34be90544176e1c13d31d3f39eef161d664247fa78b8c847c2a852a22fbf7fb3e0192b8b0

Download Submit
\Users\Admin\AppData\Local\Temp\new90.exe

Filesize
90KB

MD5
331e62444933e3c2205bce5eecc11a5f

SHA1
72c4405f29778e780d35a9a0fa7d9b76ba596c0e

SHA256
f786808d88d124b94ef63f33529e80628590759ce8b0f2f9310304b6e619eac0

SHA512
f1cbc9081c06a138e52654670dbe9b07433f6e9ff6f6a703089300a34be90544176e1c13d31d3f39eef161d664247fa78b8c847c2a852a22fbf7fb3e0192b8b0

Download Submit
\Users\Admin\AppData\Local\Temp\new90.exe

Filesize
90KB

MD5
331e62444933e3c2205bce5eecc11a5f

SHA1
72c4405f29778e780d35a9a0fa7d9b76ba596c0e

SHA256
f786808d88d124b94ef63f33529e80628590759ce8b0f2f9310304b6e619eac0

SHA512
f1cbc9081c06a138e52654670dbe9b07433f6e9ff6f6a703089300a34be90544176e1c13d31d3f39eef161d664247fa78b8c847c2a852a22fbf7fb3e0192b8b0

Download Submit
memory/960-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download