Analysis
-
max time kernel
63s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
10-02-2023 07:57
Static task
static1
Behavioral task
behavioral1
Sample
3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe
Resource
win10v2004-20221111-en
General
-
Target
3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe
-
Size
308KB
-
MD5
3803e90834f6ccf5a8f3b0bc6021f8ea
-
SHA1
56a70bad28d606498b79fff805b188e215b42761
-
SHA256
3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280
-
SHA512
9e4a05fcdc06681d44db4044a21b32b9de251bb584a22e3ec728aaa52938e9423a05323aa0ccaf528187615fabd80e727edd74982fca5520f94e842759406da3
-
SSDEEP
3072:bbG7N2kDTHUpouo4vfXvlzXf3E3FbzcsU007xV4bc8rAHivUMHDKLPGhNPi:bbE/HUxmZ4jd7xubTrtU3Ea
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exepid process 964 3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe 964 3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exeexplorer.exedescription pid process target process PID 964 wrote to memory of 828 964 3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe explorer.EXE PID 964 wrote to memory of 828 964 3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe explorer.EXE PID 964 wrote to memory of 828 964 3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe explorer.EXE PID 964 wrote to memory of 828 964 3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe explorer.EXE PID 1164 wrote to memory of 1064 1164 explorer.exe consent.exe PID 1164 wrote to memory of 1064 1164 explorer.exe consent.exe PID 1164 wrote to memory of 1064 1164 explorer.exe consent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe"C:\Users\Admin\AppData\Local\Temp\3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\explorer.EXE"C:\Windows\explorer.EXE" C:\windows\system32\consent.exe2⤵PID:828
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\System32\consent.exe"C:\Windows\System32\consent.exe"2⤵PID:1064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy7CDF.tmp\System.dllFilesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
\Users\Admin\AppData\Local\Temp\nsy7CDF.tmp\nsExec.dllFilesize
7KB
MD5675c4948e1efc929edcabfe67148eddd
SHA1f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
SHA2561076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
SHA51261737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683
-
memory/828-56-0x0000000000000000-mapping.dmp
-
memory/828-57-0x000007FEFC631000-0x000007FEFC633000-memory.dmpFilesize
8KB
-
memory/964-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/964-62-0x00000000024B0000-0x00000000030FA000-memory.dmpFilesize
12.3MB
-
memory/1064-59-0x0000000000000000-mapping.dmp