46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516

Analysis

max time kernel
90s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2023, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.exe
Size

18.6MB
MD5

d0c4bf03489c430a4980252bc73cf404
SHA1

797e0487d5b6e1a0a9b737ab187eaa6e2c7972b4
SHA256

46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516
SHA512

63410489084dd0092e6d2cd719b6a5c9c6262d4a8efb8730074ad21889a410034a7d03dc27ac8d5f3bb4451d38aee5eccbb981e16189a400b8c1ea6b0f9fb082
SSDEEP

393216:pEqMT+o6+PE5ZflIImCOrS7WxWEzp8l1pfhhqcJvpo:pEqMT+hi2lzmCOsWRzpKpfb1Jq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2192	46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.tmp

Loads dropped DLL 2 IoCs

pid	Process
2192	46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.tmp
2192	46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 2192	404	46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.exe	82
PID 404 wrote to memory of 2192	404	46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.exe	82
PID 404 wrote to memory of 2192	404	46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.exe	82

C:\Users\Admin\AppData\Local\Temp\46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.exe
"C:\Users\Admin\AppData\Local\Temp\46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\is-KE657.tmp\46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KE657.tmp\46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.tmp" /SL5="$B01BE,19257691,62464,C:\Users\Admin\AppData\Local\Temp\46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ENQRR.tmp\UpdateIcon.dll

Filesize
32KB

MD5
9da5e5c13c7cdb9d40a6d48dc144f103

SHA1
9ca63e96a74cd6e15650381713a9f21f74b2bfd0

SHA256
06bc5482590c17db6d3a8a2ed284d507ed93e239690e508a44a8af6c461cd218

SHA512
914b31962ebeea3957a1e600365197744420ee73ae36b5b9aec9a32ba24310d133f1cb377dc53b04017815a3010b0f0875e250641d40e063369627ac1c67d7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ENQRR.tmp\UpdateIcon.dll

Filesize
32KB

MD5
9da5e5c13c7cdb9d40a6d48dc144f103

SHA1
9ca63e96a74cd6e15650381713a9f21f74b2bfd0

SHA256
06bc5482590c17db6d3a8a2ed284d507ed93e239690e508a44a8af6c461cd218

SHA512
914b31962ebeea3957a1e600365197744420ee73ae36b5b9aec9a32ba24310d133f1cb377dc53b04017815a3010b0f0875e250641d40e063369627ac1c67d7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KE657.tmp\46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.tmp

Filesize
672KB

MD5
74fb378605204805cdf3924a400fdca6

SHA1
b9a3c119943ede1614fe5c2a9cdeaf43cf637899

SHA256
5806004d8624613f58a333b4f553ae46179d45dbb4e686809774fe68f65f3f5c

SHA512
0888544b29995457900400524acf85763b507598ece526bac97c08c4a2246990b7e6a454bc44902455bc04c0d8648d2e1b029944ae143587cba390c1dc06afb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KE657.tmp\46d3f7be6f5db8eb7b3532abd5e20ba4ce2c5faa2421395105069106d0a11516.tmp

Filesize
672KB

MD5
74fb378605204805cdf3924a400fdca6

SHA1
b9a3c119943ede1614fe5c2a9cdeaf43cf637899

SHA256
5806004d8624613f58a333b4f553ae46179d45dbb4e686809774fe68f65f3f5c

SHA512
0888544b29995457900400524acf85763b507598ece526bac97c08c4a2246990b7e6a454bc44902455bc04c0d8648d2e1b029944ae143587cba390c1dc06afb2

Download Submit
memory/404-132-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/404-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/404-141-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2192-140-0x0000000002570000-0x000000000257E000-memory.dmp

Filesize
56KB

Download