2101e0726bf4d7126778725e4e13682f2ca5e1aca62cdbd0c19dc781d9492b49

Analysis

max time kernel
2s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2023 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe
Size

199KB
MD5

ecd901a84b82d00a82d45b4d0123352c
SHA1

d8780c1bfa80cd77eee71e8d3bd58699cc3f114b
SHA256

eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af
SHA512

058658693bbc1e27a4feb2760112d8b7ead2e2b305b210fa3f53fcfdbd356c60aa2484264c89e634d521aa8e993054434efa6996992f5ce463e2d796b0d77518
SSDEEP

6144:/Ya6c/gRLtu+LizVGXUl45puYIlS7HpQd8l:/Y6IRLtu+LCc5HIc9Qil

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wsbwv.exe

pid process

4612 wsbwv.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wsbwv.exe

description pid process target process

PID 4612 set thread context of 2252 4612 wsbwv.exe wsbwv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

wsbwv.exe

pid process

4612 wsbwv.exe

pid	process
4612	wsbwv.exe

description	pid	process	target process
PID 4612 set thread context of 2252	4612	wsbwv.exe	wsbwv.exe

pid	process
4612	wsbwv.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exewsbwv.exe

description	pid	process	target process
PID 428 wrote to memory of 4612	428	eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe	wsbwv.exe
PID 428 wrote to memory of 4612	428	eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe	wsbwv.exe
PID 428 wrote to memory of 4612	428	eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe	wsbwv.exe
PID 4612 wrote to memory of 2252	4612	wsbwv.exe	wsbwv.exe
PID 4612 wrote to memory of 2252	4612	wsbwv.exe	wsbwv.exe
PID 4612 wrote to memory of 2252	4612	wsbwv.exe	wsbwv.exe
PID 4612 wrote to memory of 2252	4612	wsbwv.exe	wsbwv.exe

C:\Users\Admin\AppData\Local\Temp\eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe
"C:\Users\Admin\AppData\Local\Temp\eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\wsbwv.exe
"C:\Users\Admin\AppData\Local\Temp\wsbwv.exe" C:\Users\Admin\AppData\Local\Temp\vrmmldr.b
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\wsbwv.exe
"C:\Users\Admin\AppData\Local\Temp\wsbwv.exe"
3⤵
PID:2252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dakxtybzlfr.xwg

Filesize
124KB

MD5
8ea73f85a44f7d85b1fcf620dfb646ce

SHA1
2eb620709c023dea5a6f9d654d0a8e035aee0c93

SHA256
6b86a07f89f490cde8421e973c1c1a51aafc0dd91a91ae34152e08471f04f759

SHA512
6d1b271382d9548f89b6054b708f6f752bcd1bcd1a28793e4a532c52add33ae96fde36cb31e47077e79306fe049f12009212bffa04558e8f2ab9e0595c243ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrmmldr.b

Filesize
5KB

MD5
124a8185fb1e05bda4bf7be2e65a7e80

SHA1
176cfc76e1d53a76408b6edf18d4447d54f12229

SHA256
9af00b26c915bda0c0ece51ff6d1cccf460f935c1e24807f04fee3ed77d5d71a

SHA512
7f249f4ea75db8842e2a19599079af6033ad22d8b16b45b854256856b27443559c5aeabd59642e8d5a176b89497db262ab246efd34bb390ed2475178d7f1361c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsbwv.exe

Filesize
129KB

MD5
bf527dd2218cb2fbded31759c3a3c5f5

SHA1
b0a7e2f762f9143205e12cfd36a4bd04989d4213

SHA256
a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c

SHA512
5b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsbwv.exe

Filesize
129KB

MD5
bf527dd2218cb2fbded31759c3a3c5f5

SHA1
b0a7e2f762f9143205e12cfd36a4bd04989d4213

SHA256
a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c

SHA512
5b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677

Download Submit
memory/2252-137-0x0000000000000000-mapping.dmp

Download
memory/4612-132-0x0000000000000000-mapping.dmp

Download