e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe
Size

41KB
MD5

095be71db8bf27fc4db5e414ccc2ee31
SHA1

7d101711ed050ee4fdbf8bb1f9504938e6a02aea
SHA256

e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac
SHA512

4c67200af2c8be6de962ae27680910a52bcdd356a9a6fcf9f6f646b6f848ff2e3f872de34150bb9f11fe98351d19768224eb6f2d51682098dc320a695c103066
SSDEEP

768:QIBar1ZIZYnfI9opm6AIHIjaI7g9mVmUnioNE/W5dRV8:pW1ZIZqI9opm6AIHIjzmUzNzd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
760	sxhost.exe

Deletes itself 1 IoCs

pid	Process
1684	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe
1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 760	1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe	27
PID 1388 wrote to memory of 760	1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe	27
PID 1388 wrote to memory of 760	1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe	27
PID 1388 wrote to memory of 760	1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe	27
PID 1388 wrote to memory of 1684	1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe	28
PID 1388 wrote to memory of 1684	1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe	28
PID 1388 wrote to memory of 1684	1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe	28
PID 1388 wrote to memory of 1684	1388	e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe	28
PID 760 wrote to memory of 1768	760	sxhost.exe	32
PID 760 wrote to memory of 1768	760	sxhost.exe	32
PID 760 wrote to memory of 1768	760	sxhost.exe	32
PID 760 wrote to memory of 1768	760	sxhost.exe	32

C:\Users\Admin\AppData\Local\Temp\e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe
"C:\Users\Admin\AppData\Local\Temp\e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\sxhost.exe
  "C:\Users\Admin\sxhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\sxhost.exe >> NUL
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E81CF1~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sxhost.exe

Filesize
41KB

MD5
095be71db8bf27fc4db5e414ccc2ee31

SHA1
7d101711ed050ee4fdbf8bb1f9504938e6a02aea

SHA256
e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac

SHA512
4c67200af2c8be6de962ae27680910a52bcdd356a9a6fcf9f6f646b6f848ff2e3f872de34150bb9f11fe98351d19768224eb6f2d51682098dc320a695c103066

Download Submit
C:\Users\Admin\sxhost.exe

Filesize
41KB

MD5
095be71db8bf27fc4db5e414ccc2ee31

SHA1
7d101711ed050ee4fdbf8bb1f9504938e6a02aea

SHA256
e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac

SHA512
4c67200af2c8be6de962ae27680910a52bcdd356a9a6fcf9f6f646b6f848ff2e3f872de34150bb9f11fe98351d19768224eb6f2d51682098dc320a695c103066

Download Submit
\Users\Admin\sxhost.exe

Filesize
41KB

MD5
095be71db8bf27fc4db5e414ccc2ee31

SHA1
7d101711ed050ee4fdbf8bb1f9504938e6a02aea

SHA256
e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac

SHA512
4c67200af2c8be6de962ae27680910a52bcdd356a9a6fcf9f6f646b6f848ff2e3f872de34150bb9f11fe98351d19768224eb6f2d51682098dc320a695c103066

Download Submit
\Users\Admin\sxhost.exe

Filesize
41KB

MD5
095be71db8bf27fc4db5e414ccc2ee31

SHA1
7d101711ed050ee4fdbf8bb1f9504938e6a02aea

SHA256
e81cf1b3b935df71dfb7d4b85ad00f9437d7201da6224201d3e42943bc5568ac

SHA512
4c67200af2c8be6de962ae27680910a52bcdd356a9a6fcf9f6f646b6f848ff2e3f872de34150bb9f11fe98351d19768224eb6f2d51682098dc320a695c103066

Download Submit
memory/760-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/760-65-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1388-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1388-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1388-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download