e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728

Analysis

max time kernel
14s
max time network
186s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe
Size

2.3MB
MD5

e5edecf1a625ebfe16007e9162c7cdc4
SHA1

9cc70338a958a0f676560490278053cbb82a6b66
SHA256

e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728
SHA512

a19fa07ce29c3aef6f40cc9630bed2350209dc34b147eae1959477abed1cb5174ac86a0ddec8ba2e59732756137a845ba6bae4901f05bce96a24448843e8e5be
SSDEEP

49152:MaRg7DRg+d0TvVaLjwVW5GtJ/ws1OY1dBpna+pT5ZvFEbWVSwb:Ma+m+dGat0t9Rj1Fas7ddF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
952	INSBD57.tmp

Loads dropped DLL 2 IoCs

pid	Process
1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe
1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 952	1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe	28
PID 1888 wrote to memory of 952	1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe	28
PID 1888 wrote to memory of 952	1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe	28
PID 1888 wrote to memory of 952	1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe	28
PID 1888 wrote to memory of 952	1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe	28
PID 1888 wrote to memory of 952	1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe	28
PID 1888 wrote to memory of 952	1888	e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe	28

C:\Users\Admin\AppData\Local\Temp\e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe
"C:\Users\Admin\AppData\Local\Temp\e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\INSBD57.tmp
  C:\Users\Admin\AppData\Local\Temp\INSBD57.tmp /SL C:\Users\Admin\AppData\Local\Temp\e3397d98918c21b02534f7daa7fcda8232e8dc78468ff1d9acf59a9a62cc1728.exe 2412316 68096
  2⤵
  - Executes dropped EXE
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INSBD57.tmp

Filesize
364KB

MD5
d8352d45f5f66014779e0b75689885d2

SHA1
bd7222c0d543c8972bdf6208eaf3a61304b70f4c

SHA256
544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64

SHA512
0277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSBD57.tmp

Filesize
364KB

MD5
d8352d45f5f66014779e0b75689885d2

SHA1
bd7222c0d543c8972bdf6208eaf3a61304b70f4c

SHA256
544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64

SHA512
0277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574

Download Submit
\Users\Admin\AppData\Local\Temp\INSBD57.tmp

Filesize
364KB

MD5
d8352d45f5f66014779e0b75689885d2

SHA1
bd7222c0d543c8972bdf6208eaf3a61304b70f4c

SHA256
544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64

SHA512
0277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574

Download Submit
\Users\Admin\AppData\Local\Temp\INSBD57.tmp

Filesize
364KB

MD5
d8352d45f5f66014779e0b75689885d2

SHA1
bd7222c0d543c8972bdf6208eaf3a61304b70f4c

SHA256
544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64

SHA512
0277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574

Download Submit
memory/1888-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download