d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651

Analysis

max time kernel
167s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 07:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe
Size

22KB
MD5

d691ea1943bd226d692a57552fde9fdb
SHA1

a3a40cee5547ba05181a8c8fd93a839388088625
SHA256

d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651
SHA512

2e8d50c27cb8448cc6b7ea748c169b6fc511d9fc921f2dc46c6fce1818036d3dc78e0b808c8b22001dae1adf777a6997e9001590308153ae80b0ba3e5f87ec34
SSDEEP

384:srJb33WYuz65JbcBicdGsCwlmgrmWp2qKUDLLO00:KvJbnn0lbqWM2C00

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1160	d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe
1160	d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1952	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1492	1160	d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe	28
PID 1160 wrote to memory of 1492	1160	d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe	28
PID 1160 wrote to memory of 1492	1160	d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe	28
PID 1160 wrote to memory of 1492	1160	d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe	28
PID 1492 wrote to memory of 1952	1492	cmd.exe	30
PID 1492 wrote to memory of 1952	1492	cmd.exe	30
PID 1492 wrote to memory of 1952	1492	cmd.exe	30
PID 1492 wrote to memory of 1952	1492	cmd.exe	30
PID 1952 wrote to memory of 1432	1952	svchost.exe	31
PID 1952 wrote to memory of 1432	1952	svchost.exe	31
PID 1952 wrote to memory of 1432	1952	svchost.exe	31
PID 1952 wrote to memory of 1432	1952	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe
"C:\Users\Admin\AppData\Local\Temp\d0ce29186286747a77cef62c90989efb2158b31c208dd4ea08d3ba037b19e651.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c run.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    svchost.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reg.vbs"
      4⤵
      PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\reg.vbs

Filesize
292B

MD5
344f0e480669a6cfd147877470601f46

SHA1
64a32bcf575b29267f4d2f1f834ce9cb12640dec

SHA256
258def3e3c6d2f23d29a96209218ba58f40dbe644938452dcfc48fd113a7bea6

SHA512
cd06b8630ac28b936a041566a85dde8f1c799f3dae952540f8bd07845d81ec3dae2f58b12866c9e5c6fdc5357d2cf181e87e61da641f6b2bea46f6ffaa7ef700

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
11B

MD5
d1c56374fff0243832b8696d133b7861

SHA1
f4d236fdec2fd03914189c3b26e5cb0dfea9d761

SHA256
8e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6

SHA512
e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452

Download Submit
memory/1160-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1160-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-64-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/1952-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download