Analysis
-
max time kernel
2s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-01-2023 14:38
Static task
static1
Behavioral task
behavioral1
Sample
352ac725d88163238910d2a66480ba6c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
352ac725d88163238910d2a66480ba6c.exe
Resource
win10v2004-20220812-en
Errors
General
-
Target
352ac725d88163238910d2a66480ba6c.exe
-
Size
171KB
-
MD5
352ac725d88163238910d2a66480ba6c
-
SHA1
568b70f867ed54a0f4b364191f61905779def271
-
SHA256
eeb800f752648769bd2af8b1e03aa8be27d4458efe9e0450e8a24e860425b0e7
-
SHA512
44c2e7f03f5f14284e487efc1fbce5471232cd4b2160b8303302124e1e39743c0587284d493d4e6492312829849f5b3ca129da30eb262c32f6df665a7b57441b
-
SSDEEP
3072:3fY/TU9fE9PEtudb6l09deXWwHbLuo2vKFAJ24iTiU4Vqf3Vb83GuRB7SC3LM7MT:vYa6r6WneGy4SeJ2fhtJ83l3rnxd5iEb
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fhmddjes.exefhmddjes.exepid process 2020 fhmddjes.exe 468 fhmddjes.exe -
Loads dropped DLL 3 IoCs
Processes:
352ac725d88163238910d2a66480ba6c.exefhmddjes.exepid process 1716 352ac725d88163238910d2a66480ba6c.exe 1716 352ac725d88163238910d2a66480ba6c.exe 2020 fhmddjes.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fhmddjes.exedescription pid process target process PID 2020 set thread context of 468 2020 fhmddjes.exe fhmddjes.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fhmddjes.exepid process 2020 fhmddjes.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
352ac725d88163238910d2a66480ba6c.exefhmddjes.exedescription pid process target process PID 1716 wrote to memory of 2020 1716 352ac725d88163238910d2a66480ba6c.exe fhmddjes.exe PID 1716 wrote to memory of 2020 1716 352ac725d88163238910d2a66480ba6c.exe fhmddjes.exe PID 1716 wrote to memory of 2020 1716 352ac725d88163238910d2a66480ba6c.exe fhmddjes.exe PID 1716 wrote to memory of 2020 1716 352ac725d88163238910d2a66480ba6c.exe fhmddjes.exe PID 2020 wrote to memory of 468 2020 fhmddjes.exe fhmddjes.exe PID 2020 wrote to memory of 468 2020 fhmddjes.exe fhmddjes.exe PID 2020 wrote to memory of 468 2020 fhmddjes.exe fhmddjes.exe PID 2020 wrote to memory of 468 2020 fhmddjes.exe fhmddjes.exe PID 2020 wrote to memory of 468 2020 fhmddjes.exe fhmddjes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\352ac725d88163238910d2a66480ba6c.exe"C:\Users\Admin\AppData\Local\Temp\352ac725d88163238910d2a66480ba6c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe"C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe" C:\Users\Admin\AppData\Local\Temp\xllspynywlj.t2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe"C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cqpdbt.qxdFilesize
124KB
MD58aecd0737f96a0861084a64c7a87e2f9
SHA1ec678f1ea6aedd1b7862a103a3cf418ab161ff24
SHA256d5696d0430750f422a5db413ed0eed78f3a6803d51987dea747475883b7630e4
SHA5121dc65e215d9ba6513ddd3d0f2598fd3f36fe0b8bf6f4afab422e58a0ec3aa9a8696118246b03100d1ea2702e3d9c21a9edde1f704995148f826af93a187ab8ae
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exeFilesize
53KB
MD50233a5588c7f0407c6dd82b08525fd69
SHA1095d082a3995532cf325cfa59f48c73ff2dc0c66
SHA256bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678
SHA512592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2
-
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exeFilesize
53KB
MD50233a5588c7f0407c6dd82b08525fd69
SHA1095d082a3995532cf325cfa59f48c73ff2dc0c66
SHA256bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678
SHA512592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2
-
C:\Users\Admin\AppData\Local\Temp\xllspynywlj.tFilesize
5KB
MD54c2be2568d5cc61cad9762d2ced76aa2
SHA11799798521ec9a262a45d4ee2cf22d93bb544031
SHA2565f39570e66f8dc5381d762a10824de9ffa91ca49dfb22b391ceebb786e038497
SHA512fe188c465c469457a35022e385814da3f97ebd5d689954ac43ba1aa8c90acaa32958ea61148ebf21bc6f69e617c9cb2b40be81ec3682934c62954194bdf3cc27
-
\Users\Admin\AppData\Local\Temp\fhmddjes.exeFilesize
53KB
MD50233a5588c7f0407c6dd82b08525fd69
SHA1095d082a3995532cf325cfa59f48c73ff2dc0c66
SHA256bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678
SHA512592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2
-
\Users\Admin\AppData\Local\Temp\fhmddjes.exeFilesize
53KB
MD50233a5588c7f0407c6dd82b08525fd69
SHA1095d082a3995532cf325cfa59f48c73ff2dc0c66
SHA256bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678
SHA512592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2
-
\Users\Admin\AppData\Local\Temp\fhmddjes.exeFilesize
53KB
MD50233a5588c7f0407c6dd82b08525fd69
SHA1095d082a3995532cf325cfa59f48c73ff2dc0c66
SHA256bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678
SHA512592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2
-
memory/468-64-0x00000000004139DE-mapping.dmp
-
memory/1716-54-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/2020-57-0x0000000000000000-mapping.dmp