a45ab1b5ea9dc10286fcba7b397d9aa5320a68de991c8839bb829f5c7dcfce79

Analysis

max time kernel
90s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05/01/2023, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HP1_Setup[1].exe
Size

255.6MB
MD5

0ebfe95e8c7fe061a51de599cc7519b8
SHA1

8eab8fc090e3a4711ab817b7a05b3b6ba2074619
SHA256

a45ab1b5ea9dc10286fcba7b397d9aa5320a68de991c8839bb829f5c7dcfce79
SHA512

f394357f397d2a041bcbcae7e7de4a36ab8537ff7ab25dbae9849df90676c275d4f1fbf258c198f94a1e6173f7a560fc25319c32dcf3369b863e6a96aea92737
SSDEEP

6291456:0daalosqwk7jrmPKY+kzcUCqeODA/F/OoQdSwHFiHj:3ays47FLkbOODAF2liHj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5092	HP1_Setup[1].tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 5092	1776	HP1_Setup[1].exe	82
PID 1776 wrote to memory of 5092	1776	HP1_Setup[1].exe	82
PID 1776 wrote to memory of 5092	1776	HP1_Setup[1].exe	82

C:\Users\Admin\AppData\Local\Temp\HP1_Setup[1].exe
"C:\Users\Admin\AppData\Local\Temp\HP1_Setup[1].exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\is-D4V0A.tmp\HP1_Setup[1].tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D4V0A.tmp\HP1_Setup[1].tmp" /SL5="$8006E,267604656,163328,C:\Users\Admin\AppData\Local\Temp\HP1_Setup[1].exe"
  2⤵
  - Executes dropped EXE
  PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-D4V0A.tmp\HP1_Setup[1].tmp

Filesize
773KB

MD5
cfa982aca74af097dea703eeeb89169f

SHA1
d9ec4f3494489a916cf52d49c401de3f977d7a32

SHA256
878ab0998b0ee0eae16a670e095e04439926a5ed5995dfd7d070c9d42bbbf951

SHA512
be3be5d6126c333fcdf47d25ad728c864a41f738e2913bf637bfc0e8d0d3f867321f2e022395254a09b50ff7f9dc0510d47b858ff5d5bbab0f1854550f87a811

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D4V0A.tmp\HP1_Setup[1].tmp

Filesize
773KB

MD5
cfa982aca74af097dea703eeeb89169f

SHA1
d9ec4f3494489a916cf52d49c401de3f977d7a32

SHA256
878ab0998b0ee0eae16a670e095e04439926a5ed5995dfd7d070c9d42bbbf951

SHA512
be3be5d6126c333fcdf47d25ad728c864a41f738e2913bf637bfc0e8d0d3f867321f2e022395254a09b50ff7f9dc0510d47b858ff5d5bbab0f1854550f87a811

Download Submit
memory/1776-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download