cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6

Analysis

max time kernel
200s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
Size

182KB
MD5

b0ed60feb4ac8a0840b745e0d1082243
SHA1

bf48099afe126b855706310ea45a78ede2e20b3c
SHA256

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6
SHA512

a8f9436478ff60e532f24ef2de105d6839a7a6531d84294814f11f6d9bd0cecf6d97498371d6a131abd1b9063e9ce076f51171dc8b1c27a5113ba6c3dc53ec74
SSDEEP

3072:CImQYNtmlphxLDTMcbHjqgm3BS8DVMTZyXBF1pWUyT:CImQY/gp3TPDrm3BpjRF1u

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.execb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exemouseserv.exemouseserv.exe

pid	process
4236	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
4236	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
4524	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
4524	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
208	mouseserv.exe
208	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe
2880	mouseserv.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe

pid process

4524 cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe

pid	process
4524	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exemouseserv.exe

description	pid	process	target process
PID 4236 wrote to memory of 4524	4236	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
PID 4236 wrote to memory of 4524	4236	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
PID 4236 wrote to memory of 4524	4236	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe	cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
PID 208 wrote to memory of 2880	208	mouseserv.exe	mouseserv.exe
PID 208 wrote to memory of 2880	208	mouseserv.exe	mouseserv.exe
PID 208 wrote to memory of 2880	208	mouseserv.exe	mouseserv.exe

C:\Users\Admin\AppData\Local\Temp\cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
"C:\Users\Admin\AppData\Local\Temp\cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe
"C:\Users\Admin\AppData\Local\Temp\cb51ef714e8cc0a98b961580cd598eb4266b86c232e501ad26ab5f5079354bd6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4524

C:\Windows\SysWOW64\mouseserv.exe
"C:\Windows\SysWOW64\mouseserv.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\mouseserv.exe
"C:\Windows\SysWOW64\mouseserv.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-144-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-140-0x0000000000000000-mapping.dmp

Download
memory/4236-134-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4236-132-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/4236-136-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/4236-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4236-139-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4524-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4524-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4524-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4524-133-0x0000000000000000-mapping.dmp

Download