b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2022, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe
Size

1.0MB
MD5

2e512c94a3d0b90ba9fd5e82073c99ae
SHA1

3f908389a9b65ad0c004d6dd3564fffde6025068
SHA256

b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45
SHA512

dc227bb4bd94c37fc1c116ebdc1ef579c35deb390abc3b1de049da55672249fdfc78d1439eaa18aa06f04c6abb14f786d971eb2a9211d0e68300493588364e5c
SSDEEP

24576:zvfOydJf45O2zCbWrKTY4H7W8ajvdBZNZ33HTVjWN5uHn69lZ8:TGMJf4UHqrKMCfajvXZNZ33BWHuH69li

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4172	Stp80ED_TMP.EXE
4560	is-IGJ25.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4172	4960	b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe	81
PID 4960 wrote to memory of 4172	4960	b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe	81
PID 4960 wrote to memory of 4172	4960	b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe	81
PID 4172 wrote to memory of 4560	4172	Stp80ED_TMP.EXE	82
PID 4172 wrote to memory of 4560	4172	Stp80ED_TMP.EXE	82
PID 4172 wrote to memory of 4560	4172	Stp80ED_TMP.EXE	82

C:\Users\Admin\AppData\Local\Temp\b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe
"C:\Users\Admin\AppData\Local\Temp\b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\Stp80ED_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\Stp80ED_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\is-6PN53.tmp\is-IGJ25.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6PN53.tmp\is-IGJ25.tmp" /SL4 $901CE "C:\Users\Admin\AppData\Local\Temp\Stp80ED_TMP.EXE" 794944 51200
    3⤵
    - Executes dropped EXE
    PID:4560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stp80ED_TMP.EXE

Filesize
1020KB

MD5
5a0fe4a042503d77506ad34e23f4493c

SHA1
4f83b622705c9db0825b5cb5008d573611120125

SHA256
9c3f6ddb5678154b501ae05e5509c528d7db63b073f60d5080e619d26a0c5bcd

SHA512
3485faf6fe26ffbfc0c4789a41ab851bdc6e92dfc43472a17a2f88e1a41c9dbd043774dfc688fbdf50038d7d95e65feb556879441037d894a7ce1aab077ca382

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stp80ED_TMP.EXE

Filesize
1020KB

MD5
5a0fe4a042503d77506ad34e23f4493c

SHA1
4f83b622705c9db0825b5cb5008d573611120125

SHA256
9c3f6ddb5678154b501ae05e5509c528d7db63b073f60d5080e619d26a0c5bcd

SHA512
3485faf6fe26ffbfc0c4789a41ab851bdc6e92dfc43472a17a2f88e1a41c9dbd043774dfc688fbdf50038d7d95e65feb556879441037d894a7ce1aab077ca382

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6PN53.tmp\is-IGJ25.tmp

Filesize
659KB

MD5
8d945b4b32cdbdae0b9e320e6870607f

SHA1
bc109a8a04450c4833449d56b5ad77d1e37fa063

SHA256
70a88b34f9a87419c8df27f097262e1bea0e7db7a8c27aa2376e311dc65de1b6

SHA512
7d59cbc9690c951f9e96e1af257f334affc38559f4d4a77ee4703ebd5a02a4424afa8fb1447775f5a02ab60ba3f49e84906bb8e2b3d44aabdfbdfb8938f0ef29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6PN53.tmp\is-IGJ25.tmp

Filesize
659KB

MD5
8d945b4b32cdbdae0b9e320e6870607f

SHA1
bc109a8a04450c4833449d56b5ad77d1e37fa063

SHA256
70a88b34f9a87419c8df27f097262e1bea0e7db7a8c27aa2376e311dc65de1b6

SHA512
7d59cbc9690c951f9e96e1af257f334affc38559f4d4a77ee4703ebd5a02a4424afa8fb1447775f5a02ab60ba3f49e84906bb8e2b3d44aabdfbdfb8938f0ef29

Download Submit
memory/4172-135-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4172-140-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download