40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe
Size

8.2MB
MD5

5a21b9f05e310a2dbe8301a4bbf00db5
SHA1

0b6e73af96d4ce2be289bb23e7157f8b97d5ff31
SHA256

40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d
SHA512

81c827d70ba0f6d5df765a8bacd3921f53ea5c60f1ca7b36ab5d02ccb1092485dbf5d5d1208f768a7804690271d5f7e85fb2b42113ec9056f9b67d5a93db1803
SSDEEP

196608:sWsJeES84LaMUc7Ae/efJB2fvR3aT2OTkHfhK9Jl9Wd:sJQES/OMkrBmK6mk/SJ6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1456	is-8U478.tmp

Loads dropped DLL 3 IoCs

pid	Process
1528	40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe
1456	is-8U478.tmp
1456	is-8U478.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1456	1528	40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe	27
PID 1528 wrote to memory of 1456	1528	40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe	27
PID 1528 wrote to memory of 1456	1528	40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe	27
PID 1528 wrote to memory of 1456	1528	40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe	27
PID 1528 wrote to memory of 1456	1528	40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe	27
PID 1528 wrote to memory of 1456	1528	40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe	27
PID 1528 wrote to memory of 1456	1528	40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe	27

C:\Users\Admin\AppData\Local\Temp\40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe
"C:\Users\Admin\AppData\Local\Temp\40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\is-IGA8V.tmp\is-8U478.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IGA8V.tmp\is-8U478.tmp" /SL4 $60122 "C:\Users\Admin\AppData\Local\Temp\40e3e2e03bc1a1eeec7f32f2b813f4195ba67dd08cb41de7ba4382946b68cd4d.exe" 8311216 72704
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-IGA8V.tmp\is-8U478.tmp

Filesize
656KB

MD5
69c66d1add37a646768cebcc958596c2

SHA1
c2018243dfe654bc70b9eefd9069b91be914406b

SHA256
4924545a8983a732951cc5c99a6b0365e5d98ad5f655e9abb3770031a8b3af6f

SHA512
ab59bcf5b9d1ebfedb5e4e90bf37164d7273329ce198acce5f0f2d1b5f03c7c5f244842a4fa281974aeaa90e7c3462ac1a6a864b6d5b2f2af033858c3b4ecc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IGA8V.tmp\is-8U478.tmp

Filesize
656KB

MD5
69c66d1add37a646768cebcc958596c2

SHA1
c2018243dfe654bc70b9eefd9069b91be914406b

SHA256
4924545a8983a732951cc5c99a6b0365e5d98ad5f655e9abb3770031a8b3af6f

SHA512
ab59bcf5b9d1ebfedb5e4e90bf37164d7273329ce198acce5f0f2d1b5f03c7c5f244842a4fa281974aeaa90e7c3462ac1a6a864b6d5b2f2af033858c3b4ecc25

Download Submit
\Users\Admin\AppData\Local\Temp\is-8L5MI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8L5MI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IGA8V.tmp\is-8U478.tmp

Filesize
656KB

MD5
69c66d1add37a646768cebcc958596c2

SHA1
c2018243dfe654bc70b9eefd9069b91be914406b

SHA256
4924545a8983a732951cc5c99a6b0365e5d98ad5f655e9abb3770031a8b3af6f

SHA512
ab59bcf5b9d1ebfedb5e4e90bf37164d7273329ce198acce5f0f2d1b5f03c7c5f244842a4fa281974aeaa90e7c3462ac1a6a864b6d5b2f2af033858c3b4ecc25

Download Submit
memory/1528-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1528-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1528-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download