e87ce4880bcd4b1e7236c27a286db8f08f1b96d9135a61f91009ec11583c13e5

Analysis

max time kernel
80s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2023, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a8fece9be5ac03498418c8af5c6aece.exe
Size

271KB
MD5

6a8fece9be5ac03498418c8af5c6aece
SHA1

606c588636eed1bc7edebc7ac3ce19e7b79d2cb6
SHA256

e87ce4880bcd4b1e7236c27a286db8f08f1b96d9135a61f91009ec11583c13e5
SHA512

e3b82a6731879d38e160ce3121e339bc4f5b3bbc3266c99e12a413061a3a7768d4913c20096b4dd17ef7f62f2e0008693fedda6de870ee335874bf3ddc21628a
SSDEEP

6144:/Ya6fiDubloeu2NxgovVkHmSQM6mHkDFEr70S4jzaWyAAFLs1TkDjh+60w:/YViD6oTyxgovWGjM1DH0vs3l2k/h+/w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2108	hsghrzg.exe
2440	hsghrzg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 2440	2108	hsghrzg.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3136	2440	WerFault.exe	86

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2108	hsghrzg.exe
2108	hsghrzg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2108	2024	6a8fece9be5ac03498418c8af5c6aece.exe	85
PID 2024 wrote to memory of 2108	2024	6a8fece9be5ac03498418c8af5c6aece.exe	85
PID 2024 wrote to memory of 2108	2024	6a8fece9be5ac03498418c8af5c6aece.exe	85
PID 2108 wrote to memory of 2440	2108	hsghrzg.exe	86
PID 2108 wrote to memory of 2440	2108	hsghrzg.exe	86
PID 2108 wrote to memory of 2440	2108	hsghrzg.exe	86
PID 2108 wrote to memory of 2440	2108	hsghrzg.exe	86

C:\Users\Admin\AppData\Local\Temp\6a8fece9be5ac03498418c8af5c6aece.exe
"C:\Users\Admin\AppData\Local\Temp\6a8fece9be5ac03498418c8af5c6aece.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\hsghrzg.exe
  "C:\Users\Admin\AppData\Local\Temp\hsghrzg.exe" C:\Users\Admin\AppData\Local\Temp\wugzqcv.gt
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\hsghrzg.exe
    "C:\Users\Admin\AppData\Local\Temp\hsghrzg.exe"
    3⤵
    - Executes dropped EXE
    PID:2440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 184
      4⤵
      Program crash
      PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2440 -ip 2440
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hsghrzg.exe

Filesize
53KB

MD5
e114ef9c02e5de0410651abc9b2d36d7

SHA1
2ba2fd413cf45b8f49c337eb533b23840eaeff74

SHA256
b13a9a1510f122dd11e24321f3283a9538fce9f20121e918c14663f2e1a2c01b

SHA512
8c6d30dcfc52da8987e3f6bf8c764b2dd7665511f11ed0ecc4505e0373c4a40f961db1ba4c1e6d71d03f063b23eb8d8d6f34ea6a35b51a733d7d15bd4746280b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsghrzg.exe

Filesize
53KB

MD5
e114ef9c02e5de0410651abc9b2d36d7

SHA1
2ba2fd413cf45b8f49c337eb533b23840eaeff74

SHA256
b13a9a1510f122dd11e24321f3283a9538fce9f20121e918c14663f2e1a2c01b

SHA512
8c6d30dcfc52da8987e3f6bf8c764b2dd7665511f11ed0ecc4505e0373c4a40f961db1ba4c1e6d71d03f063b23eb8d8d6f34ea6a35b51a733d7d15bd4746280b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsghrzg.exe

Filesize
53KB

MD5
e114ef9c02e5de0410651abc9b2d36d7

SHA1
2ba2fd413cf45b8f49c337eb533b23840eaeff74

SHA256
b13a9a1510f122dd11e24321f3283a9538fce9f20121e918c14663f2e1a2c01b

SHA512
8c6d30dcfc52da8987e3f6bf8c764b2dd7665511f11ed0ecc4505e0373c4a40f961db1ba4c1e6d71d03f063b23eb8d8d6f34ea6a35b51a733d7d15bd4746280b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzlwssdip.n

Filesize
205KB

MD5
edc190572cb7754a1426e153cd810757

SHA1
ea0dec74765106674bf47efcc3e5e1f530ece321

SHA256
afa0c6353b3916b9dff7602131c7f6d22cf01605759ccb3516656743ba46a304

SHA512
f9e4f3dd4f8b5651a593e257333dfa7fe0c8608aa3736ecb555bd083bafca5dd56b26d15654faea3585faa7f060da6a8aab8ad6f3b3e3063040e297da593e693

Download Submit
C:\Users\Admin\AppData\Local\Temp\wugzqcv.gt

Filesize
5KB

MD5
1b4d99be47e85888dfc5e844b3310827

SHA1
10963a470ab269dbde7119a2906f30bb0f25dc1a

SHA256
dba1c97127a0f2d4770904d4b7851dbee81373d1427ae2f43deef6a6df535663

SHA512
b7f395e587288b1981237fa655a6091435b8cb08ea20a8f140161a24c4d7f5723dbb04b07d7a18d9883d8b4e63a45788a83ea6333004a422cb25923ea1f30ed8

Download Submit
memory/2440-142-0x00000000007A0000-0x00000000007CF000-memory.dmp

Filesize
188KB

Download