2a6cf187bcb946e0c4834517ce0b969cbd75aa413cd5925f550984b9e660b866

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2023, 13:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b38868eff8933d60043ed58d0994deb049795436.exe
Size

953KB
MD5

095483794408fd8f2479ace6c73cabe7
SHA1

b38868eff8933d60043ed58d0994deb049795436
SHA256

2a6cf187bcb946e0c4834517ce0b969cbd75aa413cd5925f550984b9e660b866
SHA512

10bfacba10953e6e73a77982e1525c8f1ddec4bc1de05f9947dff1cfb13811f6c52b3eb4013098403871994fcfe6a5adfb210d00451feb9c32c27e4f4a9827c6
SSDEEP

24576:/Y9UJRSwF02rg71YIWmZ20/5obbJ1SnVQtJ:AvQM7+3E2J1SnVa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3184	mchplkp.exe
4764	mchplkp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 4764	3184	mchplkp.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4764	mchplkp.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3184	mchplkp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	mchplkp.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3184	2140	b38868eff8933d60043ed58d0994deb049795436.exe	81
PID 2140 wrote to memory of 3184	2140	b38868eff8933d60043ed58d0994deb049795436.exe	81
PID 2140 wrote to memory of 3184	2140	b38868eff8933d60043ed58d0994deb049795436.exe	81
PID 3184 wrote to memory of 4764	3184	mchplkp.exe	82
PID 3184 wrote to memory of 4764	3184	mchplkp.exe	82
PID 3184 wrote to memory of 4764	3184	mchplkp.exe	82
PID 3184 wrote to memory of 4764	3184	mchplkp.exe	82

C:\Users\Admin\AppData\Local\Temp\b38868eff8933d60043ed58d0994deb049795436.exe
"C:\Users\Admin\AppData\Local\Temp\b38868eff8933d60043ed58d0994deb049795436.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\mchplkp.exe
  "C:\Users\Admin\AppData\Local\Temp\mchplkp.exe" C:\Users\Admin\AppData\Local\Temp\bidkqvfr.t
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\mchplkp.exe
    "C:\Users\Admin\AppData\Local\Temp\mchplkp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bidkqvfr.t

Filesize
6KB

MD5
f4aa363354de10e22e628f548cf10c15

SHA1
fed82229f06fd39dcf1065bf3cfbb518fbd6aca3

SHA256
2956c5655e87bf6a6f77b60a53b67bb675f9bf302fae371e9d0d5cf2ca191314

SHA512
ed30cd133043d68ed8613d9aa49eb4fe796af737146217c79c64a5f83ccacfc99cd1035f10bafcbfe345e22e8e2f48c276876976b3630d875e2ff4241384f1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lajlxzazyjb.s

Filesize
916KB

MD5
ee6f754c87a08094a6d6a4f46d8064db

SHA1
9c9b4f21fb125cb35110ea80b8964c01c483705b

SHA256
722e4c13c436218aee744c9b23665a94950e8dbd89f49fc217a6397ef55b755e

SHA512
1961705e55e5c8d9157dc4779fd6535217ed6224e275bb865e70b8ab7936048c053bba0cd6368578ffa8d7a62f22daa4b02d51faae2b69eba51c425f6bd070d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mchplkp.exe

Filesize
75KB

MD5
37404f76bea4adb9c0f866cfec35dd1a

SHA1
fd0182d965bf55728083193de492878334f5974e

SHA256
340bdb03aabbd1cfb7dcb6f9bd631f50a3b46cc42879aa5631b72b542d975dc0

SHA512
e00a4fd77dfe0c680263529db69e10aee04fbc605c435b3b644c199edd3bd645047bc09dfbe8fa7b81b65e9f390ea6ad39e80f4b1a1c3c0e966b419bc43b66c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mchplkp.exe

Filesize
75KB

MD5
37404f76bea4adb9c0f866cfec35dd1a

SHA1
fd0182d965bf55728083193de492878334f5974e

SHA256
340bdb03aabbd1cfb7dcb6f9bd631f50a3b46cc42879aa5631b72b542d975dc0

SHA512
e00a4fd77dfe0c680263529db69e10aee04fbc605c435b3b644c199edd3bd645047bc09dfbe8fa7b81b65e9f390ea6ad39e80f4b1a1c3c0e966b419bc43b66c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mchplkp.exe

Filesize
75KB

MD5
37404f76bea4adb9c0f866cfec35dd1a

SHA1
fd0182d965bf55728083193de492878334f5974e

SHA256
340bdb03aabbd1cfb7dcb6f9bd631f50a3b46cc42879aa5631b72b542d975dc0

SHA512
e00a4fd77dfe0c680263529db69e10aee04fbc605c435b3b644c199edd3bd645047bc09dfbe8fa7b81b65e9f390ea6ad39e80f4b1a1c3c0e966b419bc43b66c7

Download Submit
memory/4764-139-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4764-140-0x0000000007070000-0x00000000070D6000-memory.dmp

Filesize
408KB

Download
memory/4764-141-0x0000000002340000-0x0000000002362000-memory.dmp

Filesize
136KB

Download
memory/4764-142-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download