539b3bd3de173dfe269e69a7def46dbd0d7fcf686082339cd7ca47dcaa83f528

Analysis

max time kernel
110s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2023, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f040ceba0282e33a44d08e54dd69ad0f3cf323421975ff3ad4161f7aeb6655d.exe
Size

250KB
MD5

59c136d7e714c16d71eccd5866a2f947
SHA1

3e9c7a762714ec22538c32650699771b5f8a75a1
SHA256

2f040ceba0282e33a44d08e54dd69ad0f3cf323421975ff3ad4161f7aeb6655d
SHA512

0f0df6f0a4c63d4104154fa1f43e4b677bb5f35e7cbf79b8bdae1b7c75fbe823781104925ec4cf200af4f2409c7273a5d111c97e878b1c1933dac14ce750b400
SSDEEP

6144:vYa6Hxg2uIn0WLudQacB9S2xG9vXwNx27kP:vYVkW0WLudQ/vG9PwG78

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1476	mkexw.exe
612	mkexw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 612	1476	mkexw.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	612	WerFault.exe	88

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1476	mkexw.exe
1476	mkexw.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 1476	3368	2f040ceba0282e33a44d08e54dd69ad0f3cf323421975ff3ad4161f7aeb6655d.exe	87
PID 3368 wrote to memory of 1476	3368	2f040ceba0282e33a44d08e54dd69ad0f3cf323421975ff3ad4161f7aeb6655d.exe	87
PID 3368 wrote to memory of 1476	3368	2f040ceba0282e33a44d08e54dd69ad0f3cf323421975ff3ad4161f7aeb6655d.exe	87
PID 1476 wrote to memory of 612	1476	mkexw.exe	88
PID 1476 wrote to memory of 612	1476	mkexw.exe	88
PID 1476 wrote to memory of 612	1476	mkexw.exe	88
PID 1476 wrote to memory of 612	1476	mkexw.exe	88

C:\Users\Admin\AppData\Local\Temp\2f040ceba0282e33a44d08e54dd69ad0f3cf323421975ff3ad4161f7aeb6655d.exe
"C:\Users\Admin\AppData\Local\Temp\2f040ceba0282e33a44d08e54dd69ad0f3cf323421975ff3ad4161f7aeb6655d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\mkexw.exe
  "C:\Users\Admin\AppData\Local\Temp\mkexw.exe" C:\Users\Admin\AppData\Local\Temp\mspngcgbbox.oyw
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\mkexw.exe
    "C:\Users\Admin\AppData\Local\Temp\mkexw.exe"
    3⤵
    - Executes dropped EXE
    PID:612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 184
      4⤵
      Program crash
      PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 612 -ip 612
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adxmx.ty

Filesize
206KB

MD5
cf3c8ee5363f31d21d7a25363266864d

SHA1
3e0094355f2502ce8dc6bd7e6550b7612f732298

SHA256
cec5a30b0fb406b3cf68ccd483ebf2affa296cfe54a999d7007b9e6c22015034

SHA512
12586ba1476ca4971946dedf32049b77b8296432aa095253a19b547a6099512c9816f6631acf684a11ba5bef4f3901cdac219e5f2c52755afc7a00c7eba5005c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkexw.exe

Filesize
6KB

MD5
386450fb847cc0f9e49aa26c6dbc3c63

SHA1
f5a7e0143a16a1af871fbece44babf7305c7622d

SHA256
2c18bed630bac6b58dca6c08ebae4686e5c68194262000cca3a9e8cf4995e5c7

SHA512
ff764746ccf8ccf52f95f1f9d33141f44cfb32e833972deb050ce79cbd7ce4b71a6d61e0a3e5f2ff585857624bcadc9acbc27e8f827eff3a53527da9fc69c436

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkexw.exe

Filesize
6KB

MD5
386450fb847cc0f9e49aa26c6dbc3c63

SHA1
f5a7e0143a16a1af871fbece44babf7305c7622d

SHA256
2c18bed630bac6b58dca6c08ebae4686e5c68194262000cca3a9e8cf4995e5c7

SHA512
ff764746ccf8ccf52f95f1f9d33141f44cfb32e833972deb050ce79cbd7ce4b71a6d61e0a3e5f2ff585857624bcadc9acbc27e8f827eff3a53527da9fc69c436

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkexw.exe

Filesize
6KB

MD5
386450fb847cc0f9e49aa26c6dbc3c63

SHA1
f5a7e0143a16a1af871fbece44babf7305c7622d

SHA256
2c18bed630bac6b58dca6c08ebae4686e5c68194262000cca3a9e8cf4995e5c7

SHA512
ff764746ccf8ccf52f95f1f9d33141f44cfb32e833972deb050ce79cbd7ce4b71a6d61e0a3e5f2ff585857624bcadc9acbc27e8f827eff3a53527da9fc69c436

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspngcgbbox.oyw

Filesize
5KB

MD5
8edb7faf187f1ad0c3c29574ab438367

SHA1
e8fb0bbaf4b677205c3a54a0debcfd99d748932a

SHA256
44fcc236b7c31ea5ee09a95dd6f97bdec378f2107801e88fa874ebdde9f2b48b

SHA512
c0da40747f08e920ea59594aec0a7e5bf8ab8806ec6fb649185350818cd8f5b33c1c07c932344fc10df605f8e653cec2e8735128ae947e99b11919d8085aee85

Download Submit
memory/612-142-0x0000000000750000-0x000000000077F000-memory.dmp

Filesize
188KB

Download