3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280

Analysis

max time kernel
63s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10-02-2023 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe
Size

308KB
MD5

3803e90834f6ccf5a8f3b0bc6021f8ea
SHA1

56a70bad28d606498b79fff805b188e215b42761
SHA256

3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280
SHA512

9e4a05fcdc06681d44db4044a21b32b9de251bb584a22e3ec728aaa52938e9423a05323aa0ccaf528187615fabd80e727edd74982fca5520f94e842759406da3
SSDEEP

3072:bbG7N2kDTHUpouo4vfXvlzXf3E3FbzcsU007xV4bc8rAHivUMHDKLPGhNPi:bbE/HUxmZ4jd7xubTrtU3Ea

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe

pid	process
964	3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe
964	3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exeexplorer.exe

description	pid	process	target process
PID 964 wrote to memory of 828	964	3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe	explorer.EXE
PID 964 wrote to memory of 828	964	3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe	explorer.EXE
PID 964 wrote to memory of 828	964	3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe	explorer.EXE
PID 964 wrote to memory of 828	964	3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe	explorer.EXE
PID 1164 wrote to memory of 1064	1164	explorer.exe	consent.exe
PID 1164 wrote to memory of 1064	1164	explorer.exe	consent.exe
PID 1164 wrote to memory of 1064	1164	explorer.exe	consent.exe

C:\Users\Admin\AppData\Local\Temp\3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe
"C:\Users\Admin\AppData\Local\Temp\3d8de83e9cfc9a82088d63053c4a0ceda91ad97adf4ed53dbffcda6d4e5e8280.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\explorer.EXE
"C:\Windows\explorer.EXE" C:\windows\system32\consent.exe
2⤵
PID:828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\System32\consent.exe
"C:\Windows\System32\consent.exe"
2⤵
PID:1064

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy7CDF.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7CDF.tmp\nsExec.dll
Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
memory/828-56-0x0000000000000000-mapping.dmp

Download
memory/828-57-0x000007FEFC631000-0x000007FEFC633000-memory.dmp

Filesize
8KB

Download
memory/964-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/964-62-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/1064-59-0x0000000000000000-mapping.dmp

Download